hopefully fixed auth url not having shop param

Author: TheSecurityDev

package.json

@@ -1,6 +1,6 @@
 {
   "name": "simple-koa-shopify-auth",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "description": "A better, simplified version of the (no longer supported) @Shopify/koa-shopify-auth middleware library. It removes the use of cookies for sessions (which greatly smooths the auth process), replaces a deprecated API call, and supports v2 of the official @shopify/shopify-api package.",
   "author": "TheSecurityDev",
   "license": "MIT",

src/create-shopify-auth.ts

@@ -41,8 +41,7 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
 
   // This executes for every request
   return async function shopifyAuthMiddleware(ctx: Context, next: Next) {
-    const { cookies, query, path } = ctx;
-    const queryString = new URLSearchParams(query as any).toString();
+    const { cookies, query, querystring, path } = ctx;
     const shop = query.shop ? query.shop.toString() : "";
 
     cookies.secure = true;
@@ -94,7 +93,7 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
           case err instanceof Shopify.Errors.CookieNotFound:
           case err instanceof Shopify.Errors.SessionNotFound:
             // This is likely because the OAuth session cookie expired before the merchant approved the request
-            ctx.redirect(`${oAuthStartPath}?${queryString}`);
+            ctx.redirect(`${oAuthStartPath}?${querystring}`);
             break;
           case err instanceof Shopify.Errors.InvalidJwtError:
             ctx.throw(401, err.message);

src/top-level-oauth-redirect.ts

@@ -41,7 +41,7 @@ export function createTopLevelRedirect(apiKey: string, path: string) {
     const hostName = Shopify.Context.HOST_NAME; // Use this instead of ctx.host to prevent issues when behind a proxy
     const shop = query.shop ? query.shop.toString() : "";
     const params = { shop };
-    const queryString = new URLSearchParams(params).toString(); // Use this instead of ctx.queryString, because it sanitizes the query parameters we are using
+    const queryString = new URLSearchParams(params).toString(); // Use this instead of ctx.querystring, because it sanitizes the query parameters we are using
     ctx.body = await getTopLevelRedirectScript(
       shop,
       `https://${hostName}${path}?${queryString}`,

src/verify-request.ts

@@ -35,15 +35,13 @@ export default function verifyRequest(options?: VerifyRequestOptions) {
     // Create session instance from loaded session data (if available), so we can call isActive() method on it
     const session = sessionData ? Session.cloneSession(sessionData, sessionData.id) : null;
 
-    const { query } = ctx;
-    const queryString = new URLSearchParams(query as any).toString();
+    const { query, querystring } = ctx;
     const shop = query.shop ? query.shop.toString() : "";
-    const authUrl = `${authRoute}?${queryString}`;
 
     // Login again if the shops don't match
     if (session && shop && session.shop !== shop) {
       await clearSession(ctx, accessMode);
-      ctx.redirect(authUrl);
+      ctx.redirect(`${authRoute}?${querystring}`);
       return;
     }
 
@@ -86,10 +84,11 @@ export default function verifyRequest(options?: VerifyRequestOptions) {
       } else if (Shopify.Context.IS_EMBEDDED_APP) {
         shop = getShopFromAuthHeader(ctx); // Get shop from auth header
       }
-      ctx.response.set(REAUTH_URL_HEADER, authUrl); // Set the reauth url header
+      const reauthUrl = `${authRoute}?shop=${shop}`;
+      ctx.response.set(REAUTH_URL_HEADER, reauthUrl); // Set the reauth url header
     } else {
       // Otherwise redirect to the auth page
-      ctx.redirect(authUrl);
+      ctx.redirect(`${authRoute}?${querystring}`);
     }
   };
 }