Closed yogodoshi closed 1 year ago
ClearMarble
commented
4 years ago I actually just started having the exact same issue with an app that's been running without issue for years and hasn't been updated.
Versions:
metaclick
commented
4 years ago It started to happen to an old app I have as well, apparently when we changed: class ShopsController < ShopifyApp::AuthenticatedController to class ShopsController < ApplicationController; include ShopifyApp::Authenticated
tanema
commented
4 years ago If this started recently this may be due to the SameSite Cookie requirements rolled out recently. Is this happening in production? Are you using https?
@ClearMarble You are on a version too old to have the samesite middleware so it is very likely that your app does not function in chrome at least.
mitchnick
commented
4 years ago I have the same issue when I go to upgrade the version of the gem. Our production environment is on version 12.0.2 and is not experiencing this issue. However, when I try to update my staging environment, this issue comes up. I tried staging versions 13.1 and 14.2, both are not working.
DaveEshopGuide
commented
4 years ago Same issue here. It happens for some, but not for all shops it seems.
shopify_api (9.2.0) shopify_app (14.1.0) ruby '2.6.6' 'rails', '5.2.2'
The shops are having valid shopify_tokens.
dvjones89
commented
4 years ago We've recently started to experience the same infinite redirect issue as captured by the reporter, @yogodoshi. Initially, we agreed with @tanema, thinking the issue stemmed from Chrome's recent(ish) changes to block insecure SameSite cookies. The very helpful @DaveEshopGuide highlighted that Chrome's new behaviour can be disabled via chrome://flags
Unfortunately, disabling Chrome's behaviour to enforce secure SameSite cookies has not resolved the infinite redirect error. It seems, therefore, that Chrome's change in cookie policy is a red-herring.
Until now we've been running an (admittedly outdated) version of the shopify_app gem, 8.4.0, so we've just upgraded to the latest release, 14.2.0. Unfortunately, upgrading the shopify_app gem doesn't appear to have resolved the infinite redirect issue.
Here's information about our Stack:
Ruby: 2.5.8
Rails: 5.2.4
shopify_app: 14.2And the browsers we've tested with:
Google Chrome: 84.0.4147.135 (Official Build) (64-bit) (MacOS). Page gets stuck in infinite redirect.
FireFox: 79.0 (64-bit) (MacOS). Page loads successfullyWe'd be very grateful of any support/advice that can be offered. In return, we'll be happy to help with testing or provide any additional information as required. Thank you! ✌🏼
DaveEshopGuide
commented
4 years ago @dvjones89 you kann easily test this by disabling the forced samesite:None/secure cookies via chrome://flags
I am experiencing the issue although we are setting the cookie correctly
I think the samesite cookie thing was introduced as a rack middlewhere in January 2020 in the shopify_app gem. So that's at least for us not the issue here.
I further digged into this today and using an activerecord session store it seems, that the session-id you can see in the frontend never gets written into the session table in the database, which is the case for shops where this works.
dvjones89
commented
4 years ago Thank you very much for your super-helpful reply, @DaveEshopGuide. Indeed, I've just disabled the cookies-without-same-site-must-be-secure Chrome flag and it hasn't resolved the redirect issue. It seems, therefore, that the change in Chrome's cookie policy was a red-herring and I've updated my comment above accordingly 🙏 .
It sounds like you're making good progress on troubleshooting the issue, though it seems odd that an issue that relates to database updates (or lack thereof) could vary between front-end browser?
Thanks for all the work you've done so far in troubleshooting 🙏
DaveEshopGuide
commented
4 years ago @dvjones89 Thanks, happy to help.
To be exact the setting to turn off the change google introduced is this one I reckon:
I think the database is really secondary here, I also tried setting Rails.application.config.session_store :active_record_store to Rails.application.config.session_store :cookie_store, same thing.
Key issue here being the session not being correctly passed/persisted to the server side somehow.
Cheers, Dave
tanema
commented
4 years ago Okay so I have a small suspicion of what is happening if it is not same-site. How do you initialize your authentication? I have a small suspicion that the login process is setting a return_to value as the login path so that after a successful login, it redirects back to start the auth process again.
To validate this, I would check the oauth call to shopify and check the oauth params for a return_to path. I just check the code and there is no check if the return_to value is the authentication path.
dvjones89
commented
4 years ago Hi @tanema 👋 Thanks for your reply, I really appreciate your help.
As you suggested, I've checked the return_to param in our OAuth call and can see that it's simply set to the root URL of our Rails application. It doesn't appear, therefore, that the problem is caused by sending the user back to the login page after successful authentication.
In an effort to simplify the issue, I've created a brand new Rails app running the latest version the shopify_app gem. With the exception of adding my serverless.social URL to the config.hosts array (config/environments/development.rb), I haven't changed any of the code. This is a fresh Rails app after having run rails generate shopify_app.
I'm sorry to report that, even when running this minimal test-case, the redirect issue is still present in Google Chrome:
Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.1ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.9ms | Allocations: 2229)
Completed 200 OK in 5ms (Views: 3.5ms | ActiveRecord: 0.0ms | Allocations: 3058)
Started GET "/granted_storage_access?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#granted_storage_access as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Redirected to http://lazy-seahorse-34.serverless.social/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 397)
Started GET "/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by HomeController#index as HTML
Parameters: {"hmac"=>"3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a", "locale"=>"en", "session"=>"1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c", "shop"=>"talking-tables-test-store.myshopify.com", "timestamp"=>"1598951543"}
Redirected to http://lazy-seahorse-34.serverless.social/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 576)
Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.5ms | Allocations: 2222)
Completed 200 OK in 4ms (Views: 2.9ms | ActiveRecord: 0.0ms | Allocations: 3037)@tanema Would you mind cloning my minimal Rails app and running it locally in Google Chrome? You'll obviously need to set ENV['SHOPIFY_API_KEY'] and ENV['SHOPIFY_API_SECRET'] and somehow forward your localhost to the internet (ngrok or localtunnel for example). I expect this will be enough to allow you to reproduce the issue.
Thanks again for all your help and support 🙏
tanema
commented
4 years ago Okay I still cannot reproduce this and this is what I have done
config.hosts because i do not need that hostshopify connect to get my app config and populate my .env fileshopify srv which does the following for me
I am using
Chrome: Version 84.0.4147.135 ruby: 2.6.5 rails (6.0.3.2) shopify_app (14.3.0) shopify_api (9.2.0) omniauth-shopify-oauth2 (2.2.2)
Is there any chance that you are using extra strict cookie policies in your browsers or extensions for cookies, or even ad blockers that might be preventing this?
dvjones89
commented
4 years ago Hi @tanema 👋 Thanks for your reply, it's super-helpful to see the exact steps you're taking to setup and run the Rails app. After a bit of Googling, I've discovered that the shopify connect and shopify serve commands are part of the Shopify CLI tool, something that I wasn't aware of and haven't been using until now. It's brilliant!
To my delight, I've found that booting the application using shopify serve rather than bundle exec rails server, allows me to visit the Shopify app in Google Chrome without the redirect issue. Looking at the code for shopify serve, I think it's simply running rails server, so I don't think there's anything too different there.
Another key difference is the (automatic) use of ngrok to forward my localhost as, until now, I've been forwarding using localtunnel. I wonder if that somehow makes a difference, though it wouldn't explain why we're seeing the redirect issue in production (hosted on Heroku) 🤔
In summary, now that you've shared a method to boot the app without the redirect issue, I can start to unpick the differences and hopefully have that "eureka" moment. I'll report back here when I know more. Thanks for all your help!
DaveEshopGuide
commented
4 years ago @dvjones89 and @tanema Thanks for digging further into this. I didn't really have the time to push this forward in the last few days but am also super excited to know what might be causing this. We are also hosting on heroku btw. I am also in contact with shopify dev support about this and I'll update you if I hear anything of value. Cheers ✌🏼
eebasadre20
commented
4 years ago @tanema Same here. All of a sudden this day, we experienced this issue in one of our production apps. We hosted it also in Heroku.
ruby (2.5.3) rails (5.2.1.1) shopify_app (12.0.0) shopify_api (9.1.0) omniauth-shopify-oauth2 (2.2.2)
derrickrc
commented
4 years ago I just realized this thread is similar to what I just posted about: https://github.com/Shopify/shopify_app/issues/1069. I am also hosting on Heroku.
In my case I built the app with shopify-cli-tool and it's not redirecting to /granted_storage_access, but hits home controller then keeps redirecting to /login?return_to
Screencast taken from my rejected app submission: https://screenshot.click/10-29-0rn45-lhxy2.mp4
I cannot reproduce this issue on my end - it works fine on iPad, I've followed the Chrome SameSite troubleshooting guide from Shopify and it works on Safari as well. I am stumped.
netwire88
commented
4 years ago We have been getting lots of support inquiries as well due to similar error. We are considering switching to JWT but that's quite buggy right now.
derrickrc
commented
4 years ago @tanema any update on this? I've tried emailing my Shopify app reviewer asking him which browser / emulator and settings he was using so I can try and reproduce the issue, to no avail. At this point this is blocking for me and I'm not sure if I should wait for a fix, attempt to migrate to JWT, or just abandon the shopify_app gem. Thank you.
yogodoshi
commented
4 years ago Same here, @derrickrc, I also stopped the developing any feature/improvement on an app because of this issue.
derrickrc
commented
4 years ago I am trying to dig deeper to see why this error is being thrown (see screenshot). However, I can't seem to find the error string in any github repo (perhaps someone else can?)
DaveEshopGuide
commented
3 years ago Hi folks, I did some further investigation today, comparing logs for healty and unhealthy requests from 2 different stores and I have a suspicion of what might be going on, at least in my case.
My HomeController is derived from ShopifyApp::AuthenticatedController which includes ShopifyApp::LoginProtection. Now ShopifyApp::LoginProtection does this
rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
and it happens, that my HomeController also makes requests via ActiveResource to another service. If those requests fail with UnauthorizedAccess, the users session is closed, because of "rescue_from ActiveResource::UnauthorizedAccess, with: :close_session"
@tanema is there any way you could check if the ActiveResource::UnauthorizedAccess is coming from requests to shopify and exclude requests to other services?
I verified that the requests I make to the third party service are working for the healthy store and failing for the one that has the redirect to login issue.
Btw. my previous post was deleted because of some tokens included in the logfile I attached. Appreciate shopify's/githubs security awareness here.
Cheers, Dave
DaveEshopGuide
commented
3 years ago Some further info on why this was so seemingly random: In the third party service we are using it was possible for the user to "accidentally" change his API key (which we store in the app DB). The invalid key then resulted in the ActiveResource::UnauthorizedAccess response. resulting in the behaviour described above.
As a workaround I specifically rescued these calls now inside the controller clearing the Key from our DB in response. This way the app customer can at least enter the app again and enter his new key.
Cheers, Dave
Shine18
commented
3 years ago Hi, any solution to this. I developed an app and it has the same issue. I set the cookie same site attribute with secure_headers gem. I also used the rails_same_site_cookie gem. But nothing works.
DaveEshopGuide
commented
3 years ago Hi @Shine18 regarding the SameSite Cookie Policy you should be fine when using the latest shopify_app gem. They included the correct cookie behaviour as a rack middleware in the gem earlier this year.
Did you check if the session cookie gets correctly set in the browsers application panel?
It should look something like this:
If that's set, it has to be something else i guess.
Shine18
commented
3 years ago Hi @DaveEshopGuide , Thanks for the reply in such short time bro.
I am using the latest shopify_app gem. but still it's not working.
Please see this
tanema
commented
3 years ago The shopify_app comes with samesite functionality built in unless you have disabled it. Are you serving your app with https through a tunnel like ngrok? It will not work without this because for you to have a SameSite=None cookie it must also be Secure and Secure can only be declared on a cookie served over https
Shine18
commented
3 years ago @tanema I deployed the app on aws ec2, using nginx and puma. with https.
tanema
commented
3 years ago If you have
Then there must be something else going on. Is it possible that you have config in your nginx setup that is altering your cookies, for instance a proxy_cookie_path setting?
Shine18
commented
3 years ago Hi @tanema . Thanks for pointing. That was the exact issue, I have setup proxy server with nginx and puma. and it wasn't setting up the header. I used proxy_cookie_path to set the same site attribute. Again, Thanks for the help. Really, Appreciate it.
endangurura
commented
3 years ago This issue still persists with the latest version of shopify_app v16.1.0. Downgrading to v14.3.0 fixed the issue. I don't know if there's some needed settings for version 16.1.0. Is one here using v16.1.0 with no issue?
petebof
commented
3 years ago Just created today (12/Jan) a bare-bones shopify_app using the latest versions of everything using the flag with-cookie-authentication. I can confirm that, when it tries to embed the app, it goes into an infinite loop between
GET /login | 200 OK GET / | 302 Found GET /granted_storage_access 302 Found
Versions: ruby-2.7.0 Rails 6.1.1 shopify_app 16.1.0 Chrome 87.0.4280.141 on Ubuntu 20.04 LTS
Steps:
Disabled same site cookies in chrome://flags/#same-site-by-default-cookies, but no luck.
In the past (a couple of months ago) I have created an app with the same procedure w/o any problem.
paulomarg
commented
3 years ago Hi @petebof, I believe in your particular case the issue is with rails v>=6.1 - we're currently updating the gem to work with that version of rails. I'll post updates here.
petebof
commented
3 years ago Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!
marisveide
commented
3 years ago Yes, I too can confirm that there is something wrong with rails v6.1.0. This causes the infinite redirect loop.
When having all the rest of gems as latest versions, but downgrading back to rails v6.0.3, then everything works without any infinite loops.
Continuing to research...
marisveide
commented
3 years ago Ok, so - in the rails v6.1.1 project file config/application.rb - try changing the line:
config.load_defaults 6.1to
config.load_defaults 6.0Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.
paulomarg
commented
3 years ago Yes @marisveide Rails 6.1 made some config changes in how it handles SameSite cookies, so using a previous version's configs would indeed work around the issue until the gem is fixed.
miguelperez
commented
3 years ago Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!
I have just created a new rails Rails 6.0.3.4 app, I am using the latest version of the shopify_app gem and I am using ngrok.
I set the url of the app to the ngrok domain: https://{identifier}.ngrok.io/ and the allowed redirect uris to:
https://identifier.ngrok.io/auth/shopify/callback
http://localhost:3000/auth/shopify/callbackAnd I am seeing the redirect loop in my logs when browsing the app in either of the domains. And eventually I am left at the store admin/apps page with this message:
Should I start my new app using rails 5 instead?
UPDATE: I tested using safari, firefox and brave browser. UPDATE 2: I ran the default generator of shopify_app.
paulomarg
commented
3 years ago Hey @miguelperez, can you please confirm a few things for me? I'm currently investigating an issue with the generator that might lead to this scenario.
shopify_app.rb initializer, what are the values of:
config.embedded_app
config.allow_jwt_authentication
config.allow_cookie_authenticationshopify_app gem being used?home_controller.rb inherit from AuthenticatedController or ApplicationController?If you're on v17, and your Home controller is authenticated but your app is embedded, you are running into the issue I'm working on. If that is the case, you can replace your Home controller with the following as a temporary workaround:
class HomeController < ApplicationController
include ShopifyApp::EmbeddedApp
include ShopifyApp::RequireKnownShop
def index
@shop_origin = current_shopify_domain
end
endUPDATE: This has been fixed under v17.0.3, please update your gem if you run into this issue.
miguelperez
commented
3 years ago Hey @paulomarg, thanks for your reply:
config/initializers/shopify_app.rb
unless defined? Rails::Generators
ShopifyApp.configure do |config|
config.application_name = "My Shopify App"
config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#api-keys')
config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#api-keys')
config.old_secret = ""
config.scope = "read_products" # Consult this page for more scope options:
# https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
config.embedded_app = true
config.after_authenticate_job = false
config.api_version = "2021-01"
config.shop_session_repository = 'Shop'
config.allow_jwt_authentication = true
config.allow_cookie_authentication = false
end
end
# ShopifyApp::Utils.fetch_known_api_versions # Uncomment to fetch known api versions from shopify servers on boot
# ShopifyAPI::ApiVersion.version_lookup_mode = :raise_on_unknown # Uncomment to raise an error if attempting to use an api version that was not previously knownWhat is the version of the shopify_app gem being used? shopify_app (17.0.2)
Home Controller
# frozen_string_literal: trueclass HomeController < AuthenticatedController def index @products = ShopifyAPI::Product.find(:all, params: { limit: 10 }) @webhooks = ShopifyAPI::Webhook.find(:all) end end
## Note:
I changed the home controller to the one you provided and can confirm that the app is rendered in the iframe.!!! 🎉
<img width="998" alt="Screen Shot 2021-01-22 at 9 20 09 AM" src="https://user-images.githubusercontent.com/141042/105502219-38556300-5c93-11eb-86f3-c87a08080067.png">
The only caveat is that I would need to define some things for the shopify_api to fetch the products, but I can now work on my app!
THANKS
kirillplatonov
commented
3 years ago Ok, so - in the
rails v6.1.1project fileconfig/application.rb- try changing the line:config.load_defaults 6.1to
config.load_defaults 6.0Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.
Another solution would be setting old cookies_same_site_protection value in rails v6.1.1:
# config/application.rb
# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 6.1
config.action_dispatch.cookies_same_site_protection = nil
onahkenneth
commented
3 years ago @paulomarg I created today (07/Feb) a vanilla shopify_app using the versions. I can confirm that, when it tries to embed the app, it goes into an infinite loop between
GET / | 302 Found GET /login | 200 OK GET /login | 302 Found GET /auth/shopify 302 Found
ShopifyApp.configure do |config|
config.application_name = ENV.fetch('APPLICATION_NAME', '').presence || ""
config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY')
config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET')
config.old_secret = ""
config.scope = "read_products, read_orders"
config.embedded_app = true
config.after_authenticate_job = false
config.api_version = "2021-01"
config.shop_session_repository = 'Shop'
config.allow_jwt_authentication = true
config.allow_cookie_authentication = false
endVersions: ruby-2.7.2 Rails 6.0.3.4 shopify_app 17.0.5 Chrome 88.0.4324.150 on Ubuntu 18.04 LTS
paulomarg
commented
3 years ago Hey @onahkenneth, can you please confirm whether your app's home_controller.rb inherits from AuthenticatedController or ApplicationController? If it is authenticated, you'll want to replace it with the unauthenticated version to stop the infinite loop.
onahkenneth
commented
3 years ago @paulomarg
This is my home_controller.rb
# frozen_string_literal: true
class HomeController < ApplicationController
include ShopifyApp::EmbeddedApp
include ShopifyApp::RequireKnownShop
def index
@shop_origin = current_shopify_domain
end
end
manuca
commented
3 years ago Been banging my head with this issue and my problem was I was on a non-embedded app and with allow_cookie_authentication = false. Allowing the browser to authenticate with cookies solved the issue.
In case you're interested my stack is Rails 5.2.x with shopify_app 17.0.5.
rs-ehyde
commented
3 years ago I'm having the same problem, except we are trying to implement session token validation, so cookies are not an option. Endless redirects after the scope verification screen for a new shop. I've followed the structure laid out in https://github.com/Shopify/turbolinks-jwt-sample-app but no success. Using the following versions:
gem 'shopify_api', '9.4.1'
gem 'shopify_app', '17.2.1'
jahatten
commented
3 years ago @rs-ehyde did you manage to solve this issue?
Been struggling with the same for days now...
asecondwill
commented
3 years ago Same issue maybe, more details here:
asecondwill
commented
3 years ago @paulomarg
I've tried not inheriting from AuthenticatedController in my Home Controller. That gets that page showing, but if i then click to goto any other page that does require authentication, I am asked to install the app with a little input field for the shop domain. Looking at my shop model in Rails Console. My shop's session hasnt been updated.
Any further suggestions to debug ?
Rails rails (6.1.3) shopify_app (18.0.1) Ruby 2.7.2
asecondwill
commented
3 years ago Looking at the rails s logs, it does not go to login if it does not inherit from authenticated - its avoiding the loop by avoiding authentication altogether, rather than sensibly exiting it. And then when you click to a page that needs to be authenticated it obviously isn't. @paulomarg - can you explain a bit more about how to implement this so it does the authentication but does not enter the infinite loop please?
asecondwill
commented
3 years ago I've also tried changing to config.load_defaults 6.0 and config.load_defaults 6.1. No change.
I'm creating a new app and ran into this issue after installing the app in my test store, didn't customize any Shopify related code.
The infinite loop starts when I click the app on the store's list of installed apps.
Versions:
Rails server logs that shows the infinite loop: