Staying on the "Request Grant" Oauth page for more than 1 minute throws an exception after click.

[ardeearam]

Issue summary

• Initiate Oauth dance.
• Stay at the Request Grant page for more than one minute (60 seconds)

Reading through the code, it looks like a side-effect of Shopify Node API's 60-second cookie lifespan.

https://github.com/Shopify/shopify-node-api/blob/main/src/auth/oauth/oauth.ts#L66

Looks like the cause is the way the validation failure is handled: https://github.com/Shopify/koa-shopify-auth/blob/master/src/auth/index.ts#L105-L117

Expected behavior

It should just restart the Oauth dance by redirecting back to "/auth?shop=shop.myshopify.com"

Actual behavior

It instead throws an exception.

Steps to reproduce the problem

• Initiate Oauth dance.
• Stay at the Request Grant page for more than one minute (60 seconds)

---

Checklist

• [X] Please delete the labels section before submitting your issue
• [X] I have described this issue in a way that is actionable (if possible)

[ProphetKhalul]

The same issue. This is strange behavior as the user may be interrupted during the installation phase and then receive an error message

[thecodepixi]

Hey folks, so this behavior is actually expected.

When the OAuth process is initiated, a short-term cookie and session are set to retain necessary information for the validation phase. We expire this cookie after 60 seconds, because allowing it to linger longer in the browser could present a security risk, where someone might be able to repeat a request and get access to things they shouldn't that are used for matching secure values. Essentially the values could be used to brute-force an HMAC match and give access to shop data.

This behavior is also reflective of our access-token fetch, which also fails if you wait too long to fetch the token after OAuth completes.

Ultimately what this means is that someone attempting to install an app who waits too long on that screen will just need to navigate back to the initial install link in the app store and reinitiate the install process.

Since this is expected behavior, I'm going to close this issue for now. We can reevaluate the cookie life span if we find that this becomes a frequent issue, though.

[ardeearam]

Hello @thecodepixi ,

The issue is not the cookie life span, but what happens after it fails. I am with you on the expiration, but instead of throwing a dead-end to the user with the exception, I suggest the Oauth process be automatically restarted via a redirect to /oauth.

Also, your App QA has rejected my app because of the exception encountered on failure, so there is a disconnect on what behavior is actually expected, vs. your Shopify App QA, as this behavior was not deemed expected and caused rejection. It is not even on my codebase, and I am forced to maintain a fork of your repository just to get the app approved.