search

Shopify / shopify_app

A Rails Engine for building Shopify Apps
MIT License
1.76k stars 683 forks source link

During reinstall, a token is not being fetched when reauth_on_access_scope_changes=false #1874

Closed zernie closed 2 months ago

zernie commented 3 months ago

Issue summary

Before opening this issue, I have:

We have reauth_on_access_scope_changes set to false because we have a custom flow (https://github.com/Shopify/shopify_app/issues/1820) for requesting additional scopes.

Recently, we have been flagged by Shopify:

Although your app authenticates correctly when first installed, there were issues when attempting to re-install it. Your app must immediately authenticate using OAuth before any other steps occur, even if the merchant has previously installed and then uninstalled your app. See this screencast for details.

Expected behavior

When an application is being reinstalled, shopify_app should always re-request the auth token

Actual behavior

It is not being requested

Steps to reproduce the problem

  1. Set reauth_on_access_scope_changes=false
  2. Delete the app
  3. Install the app during the next two days (before the shop_redact webhook fires)
  4. Access token is not being re-requested.
zzooeeyy commented 2 months ago

Hey @zernie , I don't think this is a bug on shopify_app. shopify_app gem checks whether the shop record exists in the DB before requesting OAuth.

The template rails app has an example on handling the APP/UNINSTALLED webhook. It deletes the shop record so that access token will be re-requested.

Regardless of reauth_on_access_scope_changes, if the user deletes/uninstalls the app, your app should know that it has been uninstalled and delete the access token for the shop so it can retry OAuth.

APP/UNINSTALLED webhook = delete shop record so it can retry OAuth on next install SHOP/REDACT webhook = delete any other data in your app that is associated with that shop