Opening the App from Shopify Admin goes back to OAuth.php every time even the app is installed

[chetanmenaria]

Hi, I know this questions has been asked before but believe me i have read every issue in the repo. I've installed my app successfully and added an auto sign-in functionality to my app already, but........

My first question is what should be my App URL (Your recommendation)?

1. https://mysite.com/app/oauth or
2. https://mysite.com/app/ or
3. https://mysite.com/app/install

My problem is if i use the https://mysite.com/app/install it'll redirected back to the same url.

If i use the https://mysite.com/app/ URL which i like & it loads perfectly in the Shopify Admin but then the app will never be installed because it won't load the oauth.php

If it use the https://mysite.com/app/oauth then the App is getting installed but the main problem with this is that whenever i try to go to the App from the Shopify Admin the iFrame loads after redirecting from the https://mysite.com/app/oauth URL to the index.php so how do i prevent it? how can i click on the App from the Shopify Admin and it loads in the iFrame immediately instead of going to https://mysite.com/app/oauth and then create the iFrame?

One more thing I checked most of the apps in the Shopify App Store has the URL https://apps.shopify.com/appname/install & after that it redirect quickly to oAuth.php but when i do that, i mean https://mysite.com/app/install?shop=xxxxxx.myshopify.com it loads You are about to be redirected to https://mysite.com/app/oauth where the installation process will begin. i need help with that too.

Hope it's not much trouble, Thanks in advance

[myjanky]

Sorry for a late reply. Without going through too much details, I want you to think about what you intend to do with your app in the admin. Then look into redirecting your page after Oauth. It is very important that you understand the oauth and the redirects that need to happen to get your app to where it needs to be.

One other thing is that many sdk users do not setup a mechanism to get a permanent token and save it in a DB or other storage media to access when the app is clicked on.

Look at line 31 and 18 of oauth.php. Instead of echo just do a redirect header("location: /relative url...")

I can help you get things going.

[chetanmenaria]

Thanks man! i'm extremely happy to see you reply :) sorry i got lost in the holidays. I can really use your help. is there's a way where i can share my code where you can look into it? thank you

[HiralShah91]

Hello

I'm facing same issue for outh.php After installing app successfully while I'm clicking on app name from shopify admin it again redirects to outh.php

I have to keep the app url pointing to oauth.php otherwise the app wont install, this also means that after installation the app redirects to oauth and oauth redirects to index.php since there everything ok, but when I click on the banner of my app from the store administration, shopify redirects me to oauth.php and again it is checking for "is_valid_request". which results "Invalid Request! Request or redirect did not come from Shopify"

Please help :(

[chetanmenaria]

Here's what i did to resolve this.

In your Partner Portal: App URL: https://domain.com/app/oauth or https://domain.com/app/oauth.php

Whitelisted redirection URL(s): https://domain.com/app/ https://domain.com/app/oauth https://domain.com/app/install

now if that's what you have in your form fields then let's got to the code:

Your oauth.php should look like this: ` session_start();

require __DIR__.'/vendor/autoload.php';
use phpish\shopify;

require __DIR__.'/conf.php';

# Guard: http://docs.shopify.com/api/authentication/oauth#verification
// shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

# Step 2: http://docs.shopify.com/api/authentication/oauth#asking-for-permission
if (!isset($_GET['code']))
{
    $permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_products'));
    $permission_url = $permission_url . '&redirect_uri='.SHOPIFY_REDIRECT_URL;
    die("<script> window.location.href='$permission_url'</script>");
}

# Step 3: http://docs.shopify.com/api/authentication/oauth#confirming-installation
try
{
    # shopify\access_token can throw an exception
    $oauth_token = shopify\access_token($_GET['shop'], SHOPIFY_APP_API_KEY, SHOPIFY_APP_SHARED_SECRET, $_GET['code']);

    $_SESSION['oauth_token'] = $oauth_token;
    $_SESSION['shop'] = $_GET['shop'];

    header("Location: index.php");
}
catch (shopify\ApiException $e)
{
    # HTTP status code was >= 400 or response contained the key 'errors'
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
}
catch (shopify\CurlException $e)
{
    # cURL error
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
}`

This mechanism means every time you open the app, it'll refresh the access token and save it in the session automatically, thanks to our friend @myjanky for that. so you basically don't need to save the access token in the DB or anywhere it'll do it on it's own.

And one more thing, sometimes it's the browser cache issue, i faced that a lot so i recommend you clear the cache and run the app in the incognito.

Hope this helps. Cheers

[X4nd0R]

I do not believe this project is active anymore so I am going to drop a comment in here that explains a few things about pointing to Oauth.php every time as well as link to my bare-bones PHP Shopify app that works out of the box with current Shopify standards/API.

TLDR; The fact of calling Oauth everytime even after install is working as intended but this project is out of date. You may find a current up-to-date, working one here: https://github.com/XenithTech/php-shopify-app-skeleton

---

Essentially the issue of having to point to Oauth every time is not actually an issue. This is how Shopify intends this to work. Every time the store connects to your store, it needs to go back through the Oauth handshake. This is to maintain security of the app. Reason being, the app is accessed directly through a GET request and inside an iframe. This environment means that without a new Oauth handshake every time, a hacker could simply head to the URL of your app with the Shop URL parameter to get immediate access (requiring a login on your app's side can help fix this but Shopify doesn't require this and Oauth is more guaranteed to have good security because of the way the hand shake works. Even on top of this though, there should be added security on your end after the Oauth.

Basically what Shopify does is send the Oauth and if the app has already been installed and the required scope/permissions of the app have not changed then it just continues on and directs to your redirect URL. Once there, you can handle however you like but for good user experience it should always have a common start point or "homepage" of the app. And then the user can navigate to where they need in the app from here. This is how pretty much all professional apps for Shopify operate.

If you are having troubles getting this one working with Shopify's current API/Oauth handshake (this project is out of date and not being maintained) feel free to check out my PHP bare-bones app. It will get you started getting the install/Oauth handshake taken care of out of the box. You may find it here: https://github.com/XenithTech/php-shopify-app-skeleton

It does not currently have a Shopify API/middleware setup on it but the API calls are pretty straightforward so you should be able to roll from there. It does have added security measures that do require a DB to operate but there are full instructions on how to get everything setup. I have personally walked through the instructions after writing them to verify they do work but if there is an issue feel free to report it on that project and I will actively find a solution. Hope this helps y'all as well as people coming here from Google trying to get started writing a Shopify app in PHP because all Googling for that ends here and this unfortunately is no longer working properly or maintained.