Shopify_app: Uninstall and installing again is not working - Persistent cookies

Created on 18 Aug 2017  路  14Comments  路  Source: Shopify/shopify_app

Hello, I'm working on an app built with Rails 5.1 (Ruby 2.3.3) and ShopifyApp 7.4.0.

I believe I've narrowed down the cause, but I can't figure out what I'm doing wrong:
If I uninstall and try to install my app again, the browser still sends the original session cookie, which messes up the installation process. If I clear the cookies, everything works.

How can I make sure the cookie is deleted after the app is uninstalled? I haven't done anything different in other app that I have published (7.2.0 and 7.3.0), and the uninstall/install process works just fine. Thank you.

Most helpful comment

In case anyone else runs into this problem, my app also did not call the Shopify API in its root action:

root :to => 'home#index'

Like flavio-b described, just put a Shopify API call in the root route controller action.

In my case:

class HomeController < AuthenticatedController
  def index
    ShopifyAPI::Shop.current
  end
end

This fixed the issue and my app can now be uninstalled and reinstalled without issue. Weird edge case indeed.

All 14 comments

This is a known issue that can't really be avoided since there is no way to know that you need to remove the cookie from the client. I'm pretty sure this issue is present in all versions of this gem.

Thanks Kevin! This problem is holding up an app approval for me. Can I link your reply to the review team? I just don't know why or how my other 2 apps work when I uninstall and install again though. I haven't changed anything in the auth process. I've inspected the requests, and they look similar. On my other apps, even when the browser resends the session cookie, somehow it ignores it, redirects to login and sets a new cookie correctly.

Sure.

I should mention that I think this only affects embedded apps since its the fact that it tries to render inside the admin for an app that doesn't exist anymore that is the problem.

Yeah, that's it. The server seems to assume it's a valid session and tries to render the app. I can see the home screen of the app appear for a second, then it redirects to admin and it gives a "Page not found" for acme.myshopify.com/admin/apps/appkeyhere
My other apps are also embedded though.

I'm pretty sure this happens on your other apps as well then - have you tested them? Are they all configured to use the same Rails session?

Yes, I've just tested them. Please give it a try here and perhaps you can see something I don't:
https://apps.shopify.com/multi-label-barcodes

Edit: Yes, same Rails session using Shop.

I believe you :)

Can you share your session config for each app?

Hm.. I'm not too familiar with Rails yet, but I believe this is the file you're looking for:
config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, key: '_multi-printer-barcodes_session'

Both working apps are identical except for the key name string. I just realized my new app doesn't have a session_store.rb file... though. Let me know if you need to take a look at any other file.

it might have moved in Rails 5. Can you search for Rails.application.config.session_store or session_store in general?

No, I can't find that config or session_store within the new app files. The other 2 apps are both Rails 5, the new one is 5.1.
There's only a config/initializers/shopify_session_repository.rb file:

if Rails.configuration.cache_classes
  ShopifyApp::SessionRepository.storage = Shop
else
  reloader = defined?(ActiveSupport::Reloader) ? ActiveSupport::Reloader : ActionDispatch::Reloader

  reloader.to_prepare do
    ShopifyApp::SessionRepository.storage = Shop
  end
end

If you use version 8 you don't need that file anymore :)

Can you try adding that session config to your rails 5.1 app (maybe look at the docs for sessions in the new rails in case something changed)

Hi Kevin, thanks for following up. Adding session_config.rb didn't work, but I believe to have found the problem: Check out login_protection.rb . There's a rescue clause there for ActiveResource::UnauthorizedAccess, which closes the session. This wasn't being called on my new app because my root handler does not make any call with ShopifyAPI, so no error was raised.

So, here's what was happening with my working apps, wherever the user goes to reinstall it:

  1. GET / --> There's a session still, so tries execute root action.
  2. Root action calls ShopifyAPI, an error is raised.
  3. Error is rescued inside login_protection.rb, which closes the session and redirects to login.

So, now I've added a _dummy_ ShopifyAPI::Shop.current to my root action and everything works as expected. I'm not sure this is the best way to solve the issue. Any thoughts on this?
Thanks.

Edit: I realize lots of people probably make use of ActiveResource on their root actions, so perhaps this issue is not experienced by many.

Ah that makes sense. I'm glad you figured it out. Your solution makes sense to me

In case anyone else runs into this problem, my app also did not call the Shopify API in its root action:

root :to => 'home#index'

Like flavio-b described, just put a Shopify API call in the root route controller action.

In my case:

class HomeController < AuthenticatedController
  def index
    ShopifyAPI::Shop.current
  end
end

This fixed the issue and my app can now be uninstalled and reinstalled without issue. Weird edge case indeed.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bhavya-hulkapps picture bhavya-hulkapps  路  5Comments

arialblack14 picture arialblack14  路  5Comments

wlbrough picture wlbrough  路  6Comments

orenmazor picture orenmazor  路  9Comments

vfonic picture vfonic  路  4Comments