Shopify / shopify_app

A Rails Engine for building Shopify Apps
MIT License
1.77k stars 687 forks source link

Infinite redirect between /login, Home#index, and /granted_storage_access #1053

Closed yogodoshi closed 1 year ago

yogodoshi commented 4 years ago

I'm creating a new app and ran into this issue after installing the app in my test store, didn't customize any Shopify related code.

The infinite loop starts when I click the app on the store's list of installed apps.

Versions:

Rails server logs that shows the infinite loop:

Started GET "/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by HomeController#index as HTML
  Parameters: {"hmac"=>"0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff", "locale"=>"en", "session"=>"f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1", "shop"=>"storeurl.myshopify.com", "timestamp"=>"1598059348"}
Redirected to http://abc.sa.ngrok.io/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com
Completed 302 Found in 43ms (ActiveRecord: 0.0ms | Allocations: 7089)

Started GET "/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#new as HTML
  Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348", "shop"=>"storeurl.myshopify.com"}
  Rendering /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.6ms | Allocations: 248)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.3ms | Allocations: 114)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.2ms | Allocations: 113)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.4ms | Allocations: 184)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 39.4ms | Allocations: 12755)
Completed 200 OK in 45ms (Views: 44.2ms | ActiveRecord: 0.0ms | Allocations: 14612)

Started GET "/granted_storage_access?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#granted_storage_access as HTML
  Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348", "shop"=>"storeurl.myshopify.com"}
Redirected to http://abc.sa.ngrok.io/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 399)

Started GET "/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by HomeController#index as HTML
  Parameters: {"hmac"=>"0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff", "locale"=>"en", "session"=>"f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1", "shop"=>"storeurl.myshopify.com", "timestamp"=>"1598059348"}
Redirected to http://abc.sa.ngrok.io/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com
Completed 302 Found in 2ms (ActiveRecord: 0.0ms | Allocations: 576)

Started GET "/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#new as HTML
  Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com&timestamp=1598059348", "shop"=>"storeurl.myshopify.com"}
  Rendering /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 5.7ms | Allocations: 2300)
Completed 200 OK in 9ms (Views: 6.1ms | ActiveRecord: 0.0ms | Allocations: 3116)
ClearMarble commented 4 years ago

I actually just started having the exact same issue with an app that's been running without issue for years and hasn't been updated.

Versions:

metaclick commented 4 years ago

It started to happen to an old app I have as well, apparently when we changed: class ShopsController < ShopifyApp::AuthenticatedController to class ShopsController < ApplicationController; include ShopifyApp::Authenticated

tanema commented 4 years ago

If this started recently this may be due to the SameSite Cookie requirements rolled out recently. Is this happening in production? Are you using https?

@ClearMarble You are on a version too old to have the samesite middleware so it is very likely that your app does not function in chrome at least.

mitchnick commented 4 years ago

I have the same issue when I go to upgrade the version of the gem. Our production environment is on version 12.0.2 and is not experiencing this issue. However, when I try to update my staging environment, this issue comes up. I tried staging versions 13.1 and 14.2, both are not working.

DaveEshopGuide commented 4 years ago

Same issue here. It happens for some, but not for all shops it seems.

shopify_api (9.2.0) shopify_app (14.1.0) ruby '2.6.6' 'rails', '5.2.2'

The shops are having valid shopify_tokens.

dvjones89 commented 4 years ago

We've recently started to experience the same infinite redirect issue as captured by the reporter, @yogodoshi. Initially, we agreed with @tanema, thinking the issue stemmed from Chrome's recent(ish) changes to block insecure SameSite cookies. The very helpful @DaveEshopGuide highlighted that Chrome's new behaviour can be disabled via chrome://flags

Screenshot 2020-08-28 at 18 12 28

Unfortunately, disabling Chrome's behaviour to enforce secure SameSite cookies has not resolved the infinite redirect error. It seems, therefore, that Chrome's change in cookie policy is a red-herring.

Until now we've been running an (admittedly outdated) version of the shopify_app gem, 8.4.0, so we've just upgraded to the latest release, 14.2.0. Unfortunately, upgrading the shopify_app gem doesn't appear to have resolved the infinite redirect issue.

Here's information about our Stack:

Ruby: 2.5.8
Rails: 5.2.4
shopify_app: 14.2

And the browsers we've tested with:

Google Chrome:  84.0.4147.135 (Official Build) (64-bit) (MacOS). Page gets stuck in infinite redirect.
FireFox: 79.0 (64-bit) (MacOS). Page loads successfully

We'd be very grateful of any support/advice that can be offered. In return, we'll be happy to help with testing or provide any additional information as required. Thank you! ✌🏼

DaveEshopGuide commented 4 years ago

@dvjones89 you kann easily test this by disabling the forced samesite:None/secure cookies via chrome://flags

I am experiencing the issue although we are setting the cookie correctly image

I think the samesite cookie thing was introduced as a rack middlewhere in January 2020 in the shopify_app gem. So that's at least for us not the issue here.

I further digged into this today and using an activerecord session store it seems, that the session-id you can see in the frontend never gets written into the session table in the database, which is the case for shops where this works.

dvjones89 commented 4 years ago

Thank you very much for your super-helpful reply, @DaveEshopGuide. Indeed, I've just disabled the cookies-without-same-site-must-be-secure Chrome flag and it hasn't resolved the redirect issue. It seems, therefore, that the change in Chrome's cookie policy was a red-herring and I've updated my comment above accordingly 🙏 .

It sounds like you're making good progress on troubleshooting the issue, though it seems odd that an issue that relates to database updates (or lack thereof) could vary between front-end browser?

Thanks for all the work you've done so far in troubleshooting 🙏

DaveEshopGuide commented 4 years ago

@dvjones89 Thanks, happy to help. To be exact the setting to turn off the change google introduced is this one I reckon: image

I think the database is really secondary here, I also tried setting Rails.application.config.session_store :active_record_store to Rails.application.config.session_store :cookie_store, same thing.

Key issue here being the session not being correctly passed/persisted to the server side somehow.

Cheers, Dave

tanema commented 4 years ago

Okay so I have a small suspicion of what is happening if it is not same-site. How do you initialize your authentication? I have a small suspicion that the login process is setting a return_to value as the login path so that after a successful login, it redirects back to start the auth process again.

To validate this, I would check the oauth call to shopify and check the oauth params for a return_to path. I just check the code and there is no check if the return_to value is the authentication path.

dvjones89 commented 4 years ago

Hi @tanema 👋 Thanks for your reply, I really appreciate your help.

As you suggested, I've checked the return_to param in our OAuth call and can see that it's simply set to the root URL of our Rails application. It doesn't appear, therefore, that the problem is caused by sending the user back to the login page after successful authentication.

In an effort to simplify the issue, I've created a brand new Rails app running the latest version the shopify_app gem. With the exception of adding my serverless.social URL to the config.hosts array (config/environments/development.rb), I haven't changed any of the code. This is a fresh Rails app after having run rails generate shopify_app.

I'm sorry to report that, even when running this minimal test-case, the redirect issue is still present in Google Chrome:

Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
  Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com&timestamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
  Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.1ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.9ms | Allocations: 2229)
Completed 200 OK in 5ms (Views: 3.5ms | ActiveRecord: 0.0ms | Allocations: 3058)

Started GET "/granted_storage_access?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#granted_storage_access as HTML
  Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com&timestamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Redirected to http://lazy-seahorse-34.serverless.social/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com&timestamp=1598951543
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 397)

Started GET "/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com&timestamp=1598951543" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by HomeController#index as HTML
  Parameters: {"hmac"=>"3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a", "locale"=>"en", "session"=>"1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c", "shop"=>"talking-tables-test-store.myshopify.com", "timestamp"=>"1598951543"}
Redirected to http://lazy-seahorse-34.serverless.social/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 576)

Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
  Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com&timestamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
  Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.0ms | Allocations: 5)
  Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.5ms | Allocations: 2222)
Completed 200 OK in 4ms (Views: 2.9ms | ActiveRecord: 0.0ms | Allocations: 3037)

@tanema Would you mind cloning my minimal Rails app and running it locally in Google Chrome? You'll obviously need to set ENV['SHOPIFY_API_KEY'] and ENV['SHOPIFY_API_SECRET'] and somehow forward your localhost to the internet (ngrok or localtunnel for example). I expect this will be enough to allow you to reproduce the issue.

Thanks again for all your help and support 🙏

tanema commented 4 years ago

Okay I still cannot reproduce this and this is what I have done

I am using

Chrome: Version 84.0.4147.135 ruby: 2.6.5 rails (6.0.3.2) shopify_app (14.3.0) shopify_api (9.2.0) omniauth-shopify-oauth2 (2.2.2)

Is there any chance that you are using extra strict cookie policies in your browsers or extensions for cookies, or even ad blockers that might be preventing this?

dvjones89 commented 4 years ago

Hi @tanema 👋 Thanks for your reply, it's super-helpful to see the exact steps you're taking to setup and run the Rails app. After a bit of Googling, I've discovered that the shopify connect and shopify serve commands are part of the Shopify CLI tool, something that I wasn't aware of and haven't been using until now. It's brilliant!

To my delight, I've found that booting the application using shopify serve rather than bundle exec rails server, allows me to visit the Shopify app in Google Chrome without the redirect issue. Looking at the code for shopify serve, I think it's simply running rails server, so I don't think there's anything too different there.

Another key difference is the (automatic) use of ngrok to forward my localhost as, until now, I've been forwarding using localtunnel. I wonder if that somehow makes a difference, though it wouldn't explain why we're seeing the redirect issue in production (hosted on Heroku) 🤔

In summary, now that you've shared a method to boot the app without the redirect issue, I can start to unpick the differences and hopefully have that "eureka" moment. I'll report back here when I know more. Thanks for all your help!

DaveEshopGuide commented 4 years ago

@dvjones89 and @tanema Thanks for digging further into this. I didn't really have the time to push this forward in the last few days but am also super excited to know what might be causing this. We are also hosting on heroku btw. I am also in contact with shopify dev support about this and I'll update you if I hear anything of value. Cheers ✌🏼

eebasadre20 commented 4 years ago

@tanema Same here. All of a sudden this day, we experienced this issue in one of our production apps. We hosted it also in Heroku.

ruby (2.5.3) rails (5.2.1.1) shopify_app (12.0.0) shopify_api (9.1.0) omniauth-shopify-oauth2 (2.2.2)

derrickrc commented 4 years ago

I just realized this thread is similar to what I just posted about: https://github.com/Shopify/shopify_app/issues/1069. I am also hosting on Heroku.

In my case I built the app with shopify-cli-tool and it's not redirecting to /granted_storage_access, but hits home controller then keeps redirecting to /login?return_to

Screencast taken from my rejected app submission: https://screenshot.click/10-29-0rn45-lhxy2.mp4

I cannot reproduce this issue on my end - it works fine on iPad, I've followed the Chrome SameSite troubleshooting guide from Shopify and it works on Safari as well. I am stumped.

netwire88 commented 4 years ago

We have been getting lots of support inquiries as well due to similar error. We are considering switching to JWT but that's quite buggy right now.

derrickrc commented 4 years ago

@tanema any update on this? I've tried emailing my Shopify app reviewer asking him which browser / emulator and settings he was using so I can try and reproduce the issue, to no avail. At this point this is blocking for me and I'm not sure if I should wait for a fix, attempt to migrate to JWT, or just abandon the shopify_app gem. Thank you.

yogodoshi commented 4 years ago

Same here, @derrickrc, I also stopped the developing any feature/improvement on an app because of this issue.

derrickrc commented 4 years ago

I am trying to dig deeper to see why this error is being thrown (see screenshot). However, I can't seem to find the error string in any github repo (perhaps someone else can?)

Screen Shot 2020-09-14 at 10 32 41 AM

DaveEshopGuide commented 4 years ago

Hi folks, I did some further investigation today, comparing logs for healty and unhealthy requests from 2 different stores and I have a suspicion of what might be going on, at least in my case.

My HomeController is derived from ShopifyApp::AuthenticatedController which includes ShopifyApp::LoginProtection. Now ShopifyApp::LoginProtection does this

rescue_from ActiveResource::UnauthorizedAccess, with: :close_session

and it happens, that my HomeController also makes requests via ActiveResource to another service. If those requests fail with UnauthorizedAccess, the users session is closed, because of "rescue_from ActiveResource::UnauthorizedAccess, with: :close_session"

@tanema is there any way you could check if the ActiveResource::UnauthorizedAccess is coming from requests to shopify and exclude requests to other services?

I verified that the requests I make to the third party service are working for the healthy store and failing for the one that has the redirect to login issue.

Btw. my previous post was deleted because of some tokens included in the logfile I attached. Appreciate shopify's/githubs security awareness here.

Cheers, Dave

DaveEshopGuide commented 4 years ago

Some further info on why this was so seemingly random: In the third party service we are using it was possible for the user to "accidentally" change his API key (which we store in the app DB). The invalid key then resulted in the ActiveResource::UnauthorizedAccess response. resulting in the behaviour described above.

As a workaround I specifically rescued these calls now inside the controller clearing the Key from our DB in response. This way the app customer can at least enter the app again and enter his new key.

Cheers, Dave

Shine18 commented 4 years ago

Hi, any solution to this. I developed an app and it has the same issue. I set the cookie same site attribute with secure_headers gem. I also used the rails_same_site_cookie gem. But nothing works.

DaveEshopGuide commented 4 years ago

Hi @Shine18 regarding the SameSite Cookie Policy you should be fine when using the latest shopify_app gem. They included the correct cookie behaviour as a rack middleware in the gem earlier this year. Did you check if the session cookie gets correctly set in the browsers application panel? It should look something like this: image If that's set, it has to be something else i guess.

Shine18 commented 4 years ago

Hi @DaveEshopGuide , Thanks for the reply in such short time bro. I am using the latest shopify_app gem. but still it's not working. Please see this Screenshot_4

tanema commented 4 years ago

The shopify_app comes with samesite functionality built in unless you have disabled it. Are you serving your app with https through a tunnel like ngrok? It will not work without this because for you to have a SameSite=None cookie it must also be Secure and Secure can only be declared on a cookie served over https

Shine18 commented 4 years ago

@tanema I deployed the app on aws ec2, using nginx and puma. with https.

tanema commented 4 years ago

If you have

Then there must be something else going on. Is it possible that you have config in your nginx setup that is altering your cookies, for instance a proxy_cookie_path setting?

Shine18 commented 4 years ago

Hi @tanema . Thanks for pointing. That was the exact issue, I have setup proxy server with nginx and puma. and it wasn't setting up the header. I used proxy_cookie_path to set the same site attribute. Again, Thanks for the help. Really, Appreciate it.

endangurura commented 3 years ago

This issue still persists with the latest version of shopify_app v16.1.0. Downgrading to v14.3.0 fixed the issue. I don't know if there's some needed settings for version 16.1.0. Is one here using v16.1.0 with no issue?

petebof commented 3 years ago

Just created today (12/Jan) a bare-bones shopify_app using the latest versions of everything using the flag with-cookie-authentication. I can confirm that, when it tries to embed the app, it goes into an infinite loop between

GET /login | 200 OK GET / | 302 Found GET /granted_storage_access 302 Found

Versions: ruby-2.7.0 Rails 6.1.1 shopify_app 16.1.0 Chrome 87.0.4280.141 on Ubuntu 20.04 LTS

Steps:

Disabled same site cookies in chrome://flags/#same-site-by-default-cookies, but no luck.

In the past (a couple of months ago) I have created an app with the same procedure w/o any problem.

paulomarg commented 3 years ago

Hi @petebof, I believe in your particular case the issue is with rails v>=6.1 - we're currently updating the gem to work with that version of rails. I'll post updates here.

petebof commented 3 years ago

Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!

marisveide commented 3 years ago

Yes, I too can confirm that there is something wrong with rails v6.1.0. This causes the infinite redirect loop. When having all the rest of gems as latest versions, but downgrading back to rails v6.0.3, then everything works without any infinite loops.

Continuing to research...

marisveide commented 3 years ago

Ok, so - in the rails v6.1.1 project file config/application.rb - try changing the line:

    config.load_defaults 6.1

to

    config.load_defaults 6.0

Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.

paulomarg commented 3 years ago

Yes @marisveide Rails 6.1 made some config changes in how it handles SameSite cookies, so using a previous version's configs would indeed work around the issue until the gem is fixed.

miguelperez commented 3 years ago

Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!

I have just created a new rails Rails 6.0.3.4 app, I am using the latest version of the shopify_app gem and I am using ngrok.

I set the url of the app to the ngrok domain: https://{identifier}.ngrok.io/ and the allowed redirect uris to:

https://identifier.ngrok.io/auth/shopify/callback
http://localhost:3000/auth/shopify/callback

And I am seeing the redirect loop in my logs when browsing the app in either of the domains. And eventually I am left at the store admin/apps page with this message:

image

Should I start my new app using rails 5 instead?

UPDATE: I tested using safari, firefox and brave browser. UPDATE 2: I ran the default generator of shopify_app.

paulomarg commented 3 years ago

Hey @miguelperez, can you please confirm a few things for me? I'm currently investigating an issue with the generator that might lead to this scenario.

If you're on v17, and your Home controller is authenticated but your app is embedded, you are running into the issue I'm working on. If that is the case, you can replace your Home controller with the following as a temporary workaround:

class HomeController < ApplicationController
  include ShopifyApp::EmbeddedApp
  include ShopifyApp::RequireKnownShop

  def index
    @shop_origin = current_shopify_domain
  end
end

UPDATE: This has been fixed under v17.0.3, please update your gem if you run into this issue.

miguelperez commented 3 years ago

Hey @paulomarg, thanks for your reply:

config/initializers/shopify_app.rb

unless defined? Rails::Generators
  ShopifyApp.configure do |config|
    config.application_name = "My Shopify App"
    config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#api-keys')
    config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#api-keys')
    config.old_secret = ""
    config.scope = "read_products" # Consult this page for more scope options:
                                   # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
    config.embedded_app = true
    config.after_authenticate_job = false
    config.api_version = "2021-01"
    config.shop_session_repository = 'Shop'
    config.allow_jwt_authentication = true
    config.allow_cookie_authentication = false
  end
end

# ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot
# ShopifyAPI::ApiVersion.version_lookup_mode = :raise_on_unknown    # Uncomment to raise an error if attempting to use an api version that was not previously known

class HomeController < AuthenticatedController def index @products = ShopifyAPI::Product.find(:all, params: { limit: 10 }) @webhooks = ShopifyAPI::Webhook.find(:all) end end



## Note:
I changed the home controller to the one you provided and can confirm that the app is rendered in the iframe.!!! 🎉 

<img width="998" alt="Screen Shot 2021-01-22 at 9 20 09 AM" src="https://user-images.githubusercontent.com/141042/105502219-38556300-5c93-11eb-86f3-c87a08080067.png">

The only caveat is that I would need to define some things for the shopify_api to fetch the products, but I can now work on my app!

THANKS
kirillplatonov commented 3 years ago

Ok, so - in the rails v6.1.1 project file config/application.rb - try changing the line:

    config.load_defaults 6.1

to

    config.load_defaults 6.0

Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.

Another solution would be setting old cookies_same_site_protection value in rails v6.1.1:

# config/application.rb

# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 6.1
config.action_dispatch.cookies_same_site_protection = nil
onahkenneth commented 3 years ago

@paulomarg I created today (07/Feb) a vanilla shopify_app using the versions. I can confirm that, when it tries to embed the app, it goes into an infinite loop between

GET / | 302 Found GET /login | 200 OK GET /login | 302 Found GET /auth/shopify 302 Found

ShopifyApp.configure do |config|
  config.application_name = ENV.fetch('APPLICATION_NAME', '').presence || ""
  config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY')
  config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET')
  config.old_secret = ""
  config.scope = "read_products, read_orders"
  config.embedded_app = true
  config.after_authenticate_job = false
  config.api_version = "2021-01"
  config.shop_session_repository = 'Shop'
  config.allow_jwt_authentication = true
  config.allow_cookie_authentication = false
end

Versions: ruby-2.7.2 Rails 6.0.3.4 shopify_app 17.0.5 Chrome 88.0.4324.150 on Ubuntu 18.04 LTS

paulomarg commented 3 years ago

Hey @onahkenneth, can you please confirm whether your app's home_controller.rb inherits from AuthenticatedController or ApplicationController? If it is authenticated, you'll want to replace it with the unauthenticated version to stop the infinite loop.

onahkenneth commented 3 years ago

@paulomarg This is my home_controller.rb

# frozen_string_literal: true

class HomeController < ApplicationController
  include ShopifyApp::EmbeddedApp
  include ShopifyApp::RequireKnownShop

  def index
    @shop_origin = current_shopify_domain
  end
end
manuca commented 3 years ago

Been banging my head with this issue and my problem was I was on a non-embedded app and with allow_cookie_authentication = false. Allowing the browser to authenticate with cookies solved the issue.

In case you're interested my stack is Rails 5.2.x with shopify_app 17.0.5.

rs-ehyde commented 3 years ago

I'm having the same problem, except we are trying to implement session token validation, so cookies are not an option. Endless redirects after the scope verification screen for a new shop. I've followed the structure laid out in https://github.com/Shopify/turbolinks-jwt-sample-app but no success. Using the following versions:

gem 'shopify_api', '9.4.1'
gem 'shopify_app', '17.2.1'
jahatten commented 3 years ago

@rs-ehyde did you manage to solve this issue?

Been struggling with the same for days now...

Screenshot 2021-06-10 at 20 59 16
asecondwill commented 3 years ago

Same issue maybe, more details here:

https://github.com/Shopify/shopify_app/issues/1281

asecondwill commented 3 years ago

@paulomarg

I've tried not inheriting from AuthenticatedController in my Home Controller. That gets that page showing, but if i then click to goto any other page that does require authentication, I am asked to install the app with a little input field for the shop domain. Looking at my shop model in Rails Console. My shop's session hasnt been updated.

Any further suggestions to debug ?

Rails rails (6.1.3) shopify_app (18.0.1) Ruby 2.7.2

asecondwill commented 3 years ago

Looking at the rails s logs, it does not go to login if it does not inherit from authenticated - its avoiding the loop by avoiding authentication altogether, rather than sensibly exiting it. And then when you click to a page that needs to be authenticated it obviously isn't. @paulomarg - can you explain a bit more about how to implement this so it does the authentication but does not enter the infinite loop please?

asecondwill commented 3 years ago

I've also tried changing to config.load_defaults 6.0 and config.load_defaults 6.1. No change.