jagthedrummer commented 2 months ago

Issue summary

Before opening this issue, I have:

[x] Upgraded to the latest version of the package
- shopify_app version: 22.2.1 (Also happens in 21.10.0)
- Ruby version: 3.3.2
- Operating system: MacOS Sonoma 14.5
[x] Set log_level: :debug in my configuration, if applicable
[x] Found a reliable way to reproduce the problem that indicates it's a problem with the package
[x] Looked for similar issues in this repository
[x] Checked that this isn't an issue with a Shopify API
- If it is, please create a post in the Shopify community forums or report it to Shopify Partner Support

I'm trying to test my app in a test shop, but when I installed it an error is raised saying:

ActionController::InvalidAuthenticityToken in ShopifyApp::SessionsController#create

Expected behavior

The app should be installed in the test shop.

Actual behavior

An error is raised.

Steps to reproduce the problem

Visit the /login route of the app.
Enter a valid shop domain like my-test-app.myshopify.com
Click "Install app"
Get an exception

Debug logs

Started POST "/login" for 127.0.0.1 at 2024-07-08 14:30:28 -0500
source=rack-timeout id=91d62be5-6575-4d8a-866e-8802f542138a timeout=15000ms service=1ms state=active
Processing by ShopifyApp::SessionsController#create as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "shop"=>"my-test-app.myshopify.com"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms | Allocations: 1766)

ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):

actionpack (7.0.8.4) lib/action_controller/metal/request_forgery_protection.rb:253:in `handle_unverified_request'
actionpack (7.0.8.4) lib/action_controller/metal/request_forgery_protection.rb:286:in `handle_unverified_request'
actionpack (7.0.8.4) lib/action_controller/metal/request_forgery_protection.rb:275:in `verify_authenticity_token'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:400:in `block in make_lambda'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:199:in `block (2 levels) in halting'
actionpack (7.0.8.4) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:200:in `block in halting'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:595:in `block in invoke_before'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:595:in `each'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:595:in `invoke_before'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:106:in `run_callbacks'
actionpack (7.0.8.4) lib/abstract_controller/callbacks.rb:233:in `process_action'
actionpack (7.0.8.4) lib/action_controller/metal/rescue.rb:23:in `process_action'
actionpack (7.0.8.4) lib/action_controller/metal/instrumentation.rb:67:in `block in process_action'
activesupport (7.0.8.4) lib/active_support/notifications.rb:206:in `block in instrument'
activesupport (7.0.8.4) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
activesupport (7.0.8.4) lib/active_support/notifications.rb:206:in `instrument'
actionpack (7.0.8.4) lib/action_controller/metal/instrumentation.rb:66:in `process_action'
actionpack (7.0.8.4) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
activerecord (7.0.8.4) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
actionpack (7.0.8.4) lib/abstract_controller/base.rb:151:in `process'
actionview (7.0.8.4) lib/action_view/rendering.rb:39:in `process'
actionpack (7.0.8.4) lib/action_controller/metal.rb:188:in `dispatch'
actionpack (7.0.8.4) lib/action_controller/metal.rb:251:in `dispatch'
actionpack (7.0.8.4) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
actionpack (7.0.8.4) lib/action_dispatch/routing/route_set.rb:32:in `serve'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:50:in `block in serve'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (7.0.8.4) lib/action_dispatch/routing/route_set.rb:852:in `call'
railties (7.0.8.4) lib/rails/engine.rb:530:in `call'
railties (7.0.8.4) lib/rails/railtie.rb:226:in `public_send'
railties (7.0.8.4) lib/rails/railtie.rb:226:in `method_missing'
actionpack (7.0.8.4) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
actionpack (7.0.8.4) lib/action_dispatch/routing/mapper.rb:48:in `serve'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:50:in `block in serve'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (7.0.8.4) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (7.0.8.4) lib/action_dispatch/routing/route_set.rb:852:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
newrelic_rpm (9.0.0) lib/new_relic/rack/agent_hooks.rb:30:in `traced_call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
newrelic_rpm (9.0.0) lib/new_relic/rack/browser_monitoring.rb:38:in `traced_call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/tempfile_reaper.rb:15:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/etag.rb:27:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/conditional_get.rb:40:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/head.rb:12:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/http/content_security_policy.rb:36:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.9) lib/rack/session/abstract/id.rb:260:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/cookies.rb:704:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
activerecord (7.0.8.4) lib/active_record/migration.rb:638:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (7.0.8.4) lib/active_support/callbacks.rb:99:in `run_callbacks'
actionpack (7.0.8.4) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rollbar (3.4.0) lib/rollbar/middleware/rails/rollbar.rb:25:in `block in call'
rollbar (3.4.0) lib/rollbar.rb:145:in `scoped'
rollbar (3.4.0) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
rollbar (3.4.0) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
web-console (4.2.0) lib/web_console/middleware.rb:132:in `call_app'
web-console (4.2.0) lib/web_console/middleware.rb:28:in `block in call'
web-console (4.2.0) lib/web_console/middleware.rb:17:in `catch'
web-console (4.2.0) lib/web_console/middleware.rb:17:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
railties (7.0.8.4) lib/rails/rack/logger.rb:40:in `call_app'
railties (7.0.8.4) lib/rails/rack/logger.rb:25:in `block in call'
activesupport (7.0.8.4) lib/active_support/tagged_logging.rb:99:in `block in tagged'
activesupport (7.0.8.4) lib/active_support/tagged_logging.rb:37:in `tagged'
activesupport (7.0.8.4) lib/active_support/tagged_logging.rb:99:in `tagged'
railties (7.0.8.4) lib/rails/rack/logger.rb:25:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
sprockets-rails (3.5.1) lib/sprockets/rails/quiet_assets.rb:17:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack-timeout (0.6.3) lib/rack/timeout/core.rb:148:in `block in call'
rack-timeout (0.6.3) lib/rack/timeout/support/timeout.rb:19:in `timeout'
rack-timeout (0.6.3) lib/rack/timeout/core.rb:147:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
request_store (1.5.1) lib/request_store/middleware.rb:19:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/request_id.rb:26:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/method_override.rb:24:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
shopify_app (22.2.1) lib/shopify_app/middleware/jwt_middleware.rb:25:in `call_next'
shopify_app (22.2.1) lib/shopify_app/middleware/jwt_middleware.rb:16:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/runtime.rb:22:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
judoscale-ruby (1.3.0) lib/judoscale/request_middleware.rb:41:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
activesupport (7.0.8.4) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/server_timing.rb:61:in `block in call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/server_timing.rb:26:in `collect_events'
actionpack (7.0.8.4) lib/action_dispatch/middleware/server_timing.rb:60:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/static.rb:23:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
rack (2.2.9) lib/rack/sendfile.rb:110:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
actionpack (7.0.8.4) lib/action_dispatch/middleware/host_authorization.rb:138:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
railties (7.0.8.4) lib/rails/engine.rb:530:in `call'
newrelic_rpm (9.0.0) lib/new_relic/agent/instrumentation/middleware_tracing.rb:99:in `call'
puma (6.1.1) lib/puma/configuration.rb:269:in `call'
puma (6.1.1) lib/puma/request.rb:98:in `block in handle_request'
puma (6.1.1) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
puma (6.1.1) lib/puma/request.rb:97:in `handle_request'
puma (6.1.1) lib/puma/server.rb:431:in `process_client'
puma (6.1.1) lib/puma/server.rb:233:in `block in run'
puma (6.1.1) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
newrelic_rpm (9.0.0) lib/new_relic/agent/tracer.rb:432:in `block (2 levels) in thread_block_with_current_transaction'
newrelic_rpm (9.0.0) lib/new_relic/agent/tracer.rb:356:in `capture_segment_error'
newrelic_rpm (9.0.0) lib/new_relic/agent/tracer.rb:431:in `block in thread_block_with_current_transaction'
source=rack-timeout id=91d62be5-6575-4d8a-866e-8802f542138a timeout=15000ms service=228ms state=completed

Seems like this might be the same issue raised in https://github.com/Shopify/shopify_app/issues/1286 which was automatically closed by the developer-hostile bot without anyone from Shopify ever looking at it.

paulomarg commented 1 month ago

Hey, thanks for raising this. I'll add it to our tracking, and we'll look into it!

nusken commented 1 month ago

Is there any update on this issue @paulomarg?

paulomarg commented 1 month ago

No updates yet, but this is high in our current list of priorities!

nusken commented 1 month ago

any workaround to fix this issue? I keep getting stuck in an infinite loop whenever I try to install the app.

paulomarg commented 1 month ago

Hey folks, I'm investigating this but I haven't been able to reproduce it. I created an app from scratch, and the token was valid when I tried to login (/api/auth in the latest template, but it also calls ShopifyApp::SessionsController#create). If I change the token in the client, it fails, so it looks like the check itself is OK there.

Worth pointing out that this is just a regular Rails form with a regular csrf_meta_tags in the layout, so the token itself should be valid.

Judging from the logs, it looks like the token is present in the POST request, so it might be getting the wrong token somehow. Could you please:

Share the logs for the GET request that loads the form?
Confirm the page is not being loaded within the Shopify admin?
Check if clearing your cache makes it work?

I've seen reports online that setting this in the application config might help (not a final solution, but may guide the fix):

config.action_dispatch.default_headers.merge!('Cache-Control' => 'no-store, no-cache')

Hope this helps!

github-actions[bot] commented 1 month ago

We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to respond and reopen this issue.

We appreciate your understanding as we try to manage our number of open issues.

Shopify / shopify_app

ActionController::InvalidAuthenticityToken when installing app to a test store #1875

Issue summary

Expected behavior

Actual behavior

Steps to reproduce the problem

Debug logs