I'm creating a new app and ran into this issue after installing the app in my test store, didn't customize any Shopify related code.
The infinite loop starts when I click the app on the store's list of installed apps.
Versions:
Rails server logs that shows the infinite loop:
Started GET "/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by HomeController#index as HTML
Parameters: {"hmac"=>"0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff", "locale"=>"en", "session"=>"f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1", "shop"=>"storeurl.myshopify.com", "timestamp"=>"1598059348"}
Redirected to http://abc.sa.ngrok.io/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com
Completed 302 Found in 43ms (ActiveRecord: 0.0ms | Allocations: 7089)
Started GET "/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348", "shop"=>"storeurl.myshopify.com"}
Rendering /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.6ms | Allocations: 248)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.3ms | Allocations: 114)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.2ms | Allocations: 113)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.4ms | Allocations: 184)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 39.4ms | Allocations: 12755)
Completed 200 OK in 45ms (Views: 44.2ms | ActiveRecord: 0.0ms | Allocations: 14612)
Started GET "/granted_storage_access?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#granted_storage_access as HTML
Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348", "shop"=>"storeurl.myshopify.com"}
Redirected to http://abc.sa.ngrok.io/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 399)
Started GET "/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by HomeController#index as HTML
Parameters: {"hmac"=>"0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff", "locale"=>"en", "session"=>"f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1", "shop"=>"storeurl.myshopify.com", "timestamp"=>"1598059348"}
Redirected to http://abc.sa.ngrok.io/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com
Completed 302 Found in 2ms (ActiveRecord: 0.0ms | Allocations: 576)
Started GET "/login?return_to=%2F%3Fhmac%3D0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff%26locale%3Den%26session%3Df64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1%26shop%3Dstoreurl.myshopify.com%26timestamp%3D1598059348&shop=storeurl.myshopify.com" for 2804:14c:8782:9312:6538:5840:a987:d051 at 2020-08-21 22:22:29 -0300
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=0f82d72949292546c12c4a9c173c8099d04f47f53897ad78b8b60a9d05fba9ff&locale=en&session=f64b9b51cb8fd00bd412d4e5dd4db4b0ec6108e077f5bc8ce824bd00d113f1c1&shop=storeurl.myshopify.com×tamp=1598059348", "shop"=>"storeurl.myshopify.com"}
Rendering /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/cayomedeiros/.rvm/gems/ruby-2.6.5@store-reviewer/gems/shopify_app-14.1.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 5.7ms | Allocations: 2300)
Completed 200 OK in 9ms (Views: 6.1ms | ActiveRecord: 0.0ms | Allocations: 3116)
I actually just started having the exact same issue with an app that's been running without issue for years and hasn't been updated.
Versions:
It started to happen to an old app I have as well, apparently when we changed:
class ShopsController < ShopifyApp::AuthenticatedController to class ShopsController < ApplicationController; include ShopifyApp::Authenticated
If this started recently this may be due to the SameSite Cookie requirements rolled out recently. Is this happening in production? Are you using https?
@ClearMarble You are on a version too old to have the samesite middleware so it is very likely that your app does not function in chrome at least.
I have the same issue when I go to upgrade the version of the gem. Our production environment is on version 12.0.2 and is not experiencing this issue. However, when I try to update my staging environment, this issue comes up. I tried staging versions 13.1 and 14.2, both are not working.
Same issue here.
It happens for some, but not for all shops it seems.
shopify_api (9.2.0)
shopify_app (14.1.0)
ruby '2.6.6'
'rails', '5.2.2'
The shops are having valid shopify_tokens.
We've recently started to experience the same infinite redirect issue as captured by the reporter, @yogodoshi. Initially, we agreed with @tanema, thinking the issue stemmed from Chrome's recent(ish) changes to block insecure SameSite cookies. The very helpful @DaveEshopGuide highlighted that Chrome's new behaviour can be disabled via chrome://flags

Unfortunately, disabling Chrome's behaviour to enforce secure SameSite cookies has not resolved the infinite redirect error. It seems, therefore, that Chrome's change in cookie policy is a red-herring.
Until now we've been running an (admittedly outdated) version of the shopify_app gem, 8.4.0, so we've just upgraded to the latest release, 14.2.0. Unfortunately, upgrading the shopify_app gem doesn't appear to have resolved the infinite redirect issue.
Here's information about our Stack:
Ruby: 2.5.8
Rails: 5.2.4
shopify_app: 14.2
And the browsers we've tested with:
Google Chrome: 84.0.4147.135 (Official Build) (64-bit) (MacOS). Page gets stuck in infinite redirect.
FireFox: 79.0 (64-bit) (MacOS). Page loads successfully
We'd be very grateful of any support/advice that can be offered. In return, we'll be happy to help with testing or provide any additional information as required. Thank you! โ๐ผ
@dvjones89 you kann easily test this by disabling the forced samesite:None/secure cookies via chrome://flags
I am experiencing the issue although we are setting the cookie correctly

I think the samesite cookie thing was introduced as a rack middlewhere in January 2020 in the shopify_app gem. So that's at least for us not the issue here.
I further digged into this today and using an activerecord session store it seems, that the session-id you can see in the frontend never gets written into the session table in the database, which is the case for shops where this works.
Thank you very much for your super-helpful reply, @DaveEshopGuide. Indeed, I've just disabled the cookies-without-same-site-must-be-secure Chrome flag and it hasn't resolved the redirect issue. It seems, therefore, that the change in Chrome's cookie policy was a red-herring and I've updated my comment above accordingly ๐ .
It sounds like you're making good progress on troubleshooting the issue, though it seems odd that an issue that relates to database updates (or lack thereof) could vary between front-end browser?
Thanks for all the work you've done so far in troubleshooting ๐
@dvjones89 Thanks, happy to help.
To be exact the setting to turn off the change google introduced is this one I reckon:

I think the database is really secondary here, I also tried setting
Rails.application.config.session_store :active_record_store to
Rails.application.config.session_store :cookie_store, same thing.
Key issue here being the session not being correctly passed/persisted to the server side somehow.
Cheers,
Dave
Okay so I have a small suspicion of what is happening if it is not same-site. How do you initialize your authentication? I have a small suspicion that the login process is setting a return_to value as the login path so that after a successful login, it redirects back to start the auth process again.
To validate this, I would check the oauth call to shopify and check the oauth params for a return_to path. I just check the code and there is no check if the return_to value is the authentication path.
Hi @tanema ๐ Thanks for your reply, I really appreciate your help.
As you suggested, I've checked the return_to param in our OAuth call and can see that it's simply set to the root URL of our Rails application. It doesn't appear, therefore, that the problem is caused by sending the user back to the login page after successful authentication.
In an effort to simplify the issue, I've created a brand new Rails app running the latest version the shopify_app gem. With the exception of adding my serverless.social URL to the config.hosts array (config/environments/development.rb), I haven't changed any of the code. This is a fresh Rails app after having run rails generate shopify_app.
I'm sorry to report that, even when running this minimal test-case, the redirect issue is still present in Google Chrome:
Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.1ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.9ms | Allocations: 2229)
Completed 200 OK in 5ms (Views: 3.5ms | ActiveRecord: 0.0ms | Allocations: 3058)
Started GET "/granted_storage_access?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#granted_storage_access as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Redirected to http://lazy-seahorse-34.serverless.social/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 397)
Started GET "/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by HomeController#index as HTML
Parameters: {"hmac"=>"3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a", "locale"=>"en", "session"=>"1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c", "shop"=>"talking-tables-test-store.myshopify.com", "timestamp"=>"1598951543"}
Redirected to http://lazy-seahorse-34.serverless.social/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Allocations: 576)
Started GET "/login?return_to=%2F%3Fhmac%3D3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a%26locale%3Den%26session%3D1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c%26shop%3Dtalking-tables-test-store.myshopify.com%26timestamp%3D1598951543&shop=talking-tables-test-store.myshopify.com" for 109.154.151.20 at 2020-09-01 10:12:47 +0100
Cannot render console from 109.154.151.20! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#new as HTML
Parameters: {"return_to"=>"/?hmac=3a79e76e7c5ef71d7f02e15175d0dc2116aa431f8c2ea11d97f5593e9dfeaf9a&locale=en&session=1d67b8164ac461dc20dc8a62d371cfc37e3345f137436a6c05b5e111b12f328c&shop=talking-tables-test-store.myshopify.com×tamp=1598951543", "shop"=>"talking-tables-test-store.myshopify.com"}
Rendering /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_layout_styles.html.erb (Duration: 0.0ms | Allocations: 6)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_typography_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_card_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/partials/_button_styles.html.erb (Duration: 0.0ms | Allocations: 5)
Rendered /Users/dave/.gem/ruby/2.6.5/gems/shopify_app-14.2.0/app/views/shopify_app/sessions/request_storage_access.html.erb (Duration: 2.5ms | Allocations: 2222)
Completed 200 OK in 4ms (Views: 2.9ms | ActiveRecord: 0.0ms | Allocations: 3037)
@tanema Would you mind cloning my minimal Rails app and running it locally in Google Chrome? You'll obviously need to set ENV['SHOPIFY_API_KEY'] and ENV['SHOPIFY_API_SECRET'] and somehow forward your localhost to the internet (ngrok or localtunnel for example). I expect this will be enough to allow you to reproduce the issue.
Thanks again for all your help and support ๐
Okay I still cannot reproduce this and this is what I have done
config.hosts because i do not need that hostshopify connect to get my app config and populate my .env fileshopify srv which does the following for meI am using
Chrome: Version 84.0.4147.135
ruby: 2.6.5
rails (6.0.3.2)
shopify_app (14.3.0)
shopify_api (9.2.0)
omniauth-shopify-oauth2 (2.2.2)
Is there any chance that you are using extra strict cookie policies in your browsers or extensions for cookies, or even ad blockers that might be preventing this?
Hi @tanema ๐ Thanks for your reply, it's super-helpful to see the exact steps you're taking to setup and run the Rails app. After a bit of Googling, I've discovered that the shopify connect and shopify serve commands are part of the Shopify CLI tool, something that I wasn't aware of and haven't been using until now. It's brilliant!
To my delight, I've found that booting the application using shopify serve rather than bundle exec rails server, allows me to visit the Shopify app in Google Chrome without the redirect issue. Looking at the code for shopify serve, I think it's simply running rails server, so I don't think there's anything too different there.
Another key difference is the (automatic) use of ngrok to forward my localhost as, until now, I've been forwarding using localtunnel. I wonder if that somehow makes a difference, though it wouldn't explain why we're seeing the redirect issue in production (hosted on Heroku) ๐ค
In summary, now that you've shared a method to boot the app without the redirect issue, I can start to unpick the differences and hopefully have that "eureka" moment. I'll report back here when I know more. Thanks for all your help!
@dvjones89 and @tanema Thanks for digging further into this. I didn't really have the time to push this forward in the last few days but am also super excited to know what might be causing this.
We are also hosting on heroku btw.
I am also in contact with shopify dev support about this and I'll update you if I hear anything of value.
Cheers โ๐ผ
@tanema Same here. All of a sudden this day, we experienced this issue in one of our production apps. We hosted it also in Heroku.
ruby (2.5.3)
rails (5.2.1.1)
shopify_app (12.0.0)
shopify_api (9.1.0)
omniauth-shopify-oauth2 (2.2.2)
I just realized this thread is similar to what I just posted about: https://github.com/Shopify/shopify_app/issues/1069. I am also hosting on Heroku.
In my case I built the app with shopify-cli-tool and it's not redirecting to /granted_storage_access, but hits home controller then keeps redirecting to /login?return_to
Screencast taken from my rejected app submission: https://screenshot.click/10-29-0rn45-lhxy2.mp4
I cannot reproduce this issue on my end - it works fine on iPad, I've followed the Chrome SameSite troubleshooting guide from Shopify and it works on Safari as well. I am stumped.
We have been getting lots of support inquiries as well due to similar error. We are considering switching to JWT but that's quite buggy right now.
@tanema any update on this? I've tried emailing my Shopify app reviewer asking him which browser / emulator and settings he was using so I can try and reproduce the issue, to no avail. At this point this is blocking for me and I'm not sure if I should wait for a fix, attempt to migrate to JWT, or just abandon the shopify_app gem. Thank you.
Same here, @derrickrc, I also stopped the developing any feature/improvement on an app because of this issue.
I am trying to dig deeper to see why this error is being thrown (see screenshot). However, I can't seem to find the error string in any github repo (perhaps someone else can?)

Hi folks, I did some further investigation today, comparing logs for healty and unhealthy requests from 2 different stores and I have a suspicion of what might be going on, at least in my case.
My HomeController is derived from ShopifyApp::AuthenticatedController which includes ShopifyApp::LoginProtection.
Now ShopifyApp::LoginProtection does this
rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
and it happens, that my HomeController also makes requests via ActiveResource to another service.
If those requests fail with UnauthorizedAccess, the users session is closed, because of "rescue_from ActiveResource::UnauthorizedAccess, with: :close_session"
@tanema is there any way you could check if the ActiveResource::UnauthorizedAccess is coming from requests to shopify and exclude requests to other services?
I verified that the requests I make to the third party service are working for the healthy store and failing for the one that has the redirect to login issue.
Btw. my previous post was deleted because of some tokens included in the logfile I attached. Appreciate shopify's/githubs security awareness here.
Cheers,
Dave
Some further info on why this was so seemingly random: In the third party service we are using it was possible for the user to "accidentally" change his API key (which we store in the app DB). The invalid key then resulted in the ActiveResource::UnauthorizedAccess response. resulting in the behaviour described above.
As a workaround I specifically rescued these calls now inside the controller clearing the Key from our DB in response. This way the app customer can at least enter the app again and enter his new key.
Cheers,
Dave
Hi, any solution to this. I developed an app and it has the same issue. I set the cookie same site attribute with secure_headers gem. I also used the rails_same_site_cookie gem. But nothing works.
Hi @Shine18 regarding the SameSite Cookie Policy you should be fine when using the latest shopify_app gem. They included the correct cookie behaviour as a rack middleware in the gem earlier this year.
Did you check if the session cookie gets correctly set in the browsers application panel?
It should look something like this:

If that's set, it has to be something else i guess.
Hi @DaveEshopGuide , Thanks for the reply in such short time bro.
I am using the latest shopify_app gem. but still it's not working.
Please see this

The shopify_app comes with samesite functionality built in unless you have disabled it. Are you serving your app with https through a tunnel like ngrok? It will not work without this because for you to have a SameSite=None cookie it must also be Secure and Secure can only be declared on a cookie served over https
@tanema I deployed the app on aws ec2, using nginx and puma. with https.
If you have
Then there must be something else going on. Is it possible that you have config in your nginx setup that is altering your cookies, for instance a proxy_cookie_path setting?
Hi @tanema . Thanks for pointing. That was the exact issue, I have setup proxy server with nginx and puma. and it wasn't setting up the header. I used proxy_cookie_path to set the same site attribute. Again, Thanks for the help. Really, Appreciate it.
This issue still persists with the latest version of shopify_app v16.1.0. Downgrading to v14.3.0 fixed the issue. I don't know if there's some needed settings for version 16.1.0. Is one here using v16.1.0 with no issue?
Just created today (12/Jan) a bare-bones shopify_app using the latest versions of everything using the flag with-cookie-authentication. I can confirm that, when it tries to embed the app, it goes into an infinite loop between
GETย /login | 200 OK
GETย / | 302 Found
GETย /granted_storage_access 302 Found
Versions:
ruby-2.7.0
Rails 6.1.1
shopify_app 16.1.0
Chrome 87.0.4280.141 on Ubuntu 20.04 LTS
Steps:
Disabled same site cookies in chrome://flags/#same-site-by-default-cookies, but no luck.
In the past (a couple of months ago) I have created an app with the same procedure w/o any problem.
Hi @petebof, I believe in your particular case the issue is with rails v>=6.1 - we're currently updating the gem to work with that version of rails. I'll post updates here.
Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!
Yes, I too can confirm that there is something wrong with rails v6.1.0. This causes the infinite redirect loop.
When having all the rest of gems as latest versions, but downgrading back to rails v6.0.3, then everything works without any infinite loops.
Continuing to research...
Ok, so - in the rails v6.1.1 project file config/application.rb - try changing the line:
config.load_defaults 6.1
to
config.load_defaults 6.0
Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.
Yes @marisveide Rails 6.1 made some config changes in how it handles SameSite cookies, so using a previous version's configs would indeed work around the issue until the gem is fixed.
Spot on @paulomarg! Used Rails 6.0.3.4 and it was a breeze. Thank you!
I have just created a new rails Rails 6.0.3.4 app, I am using the latest version of the shopify_app gem and I am using ngrok.
I set the url of the app to the ngrok domain: https://{identifier}.ngrok.io/ and the allowed redirect uris to:
https://identifier.ngrok.io/auth/shopify/callback
http://localhost:3000/auth/shopify/callback
And I am seeing the redirect loop in my logs when browsing the app in either of the domains. And eventually I am left at the store admin/apps page with this message:

Should I start my new app using rails 5 instead?
UPDATE: I tested using safari, firefox and brave browser.
UPDATE 2: I ran the default generator of shopify_app.
Hey @miguelperez, can you please confirm a few things for me? I'm currently investigating an issue with the generator that might lead to this scenario.
shopify_app.rb initializer, what are the values of:config.embedded_app
config.allow_jwt_authentication
config.allow_cookie_authentication
shopify_app gem being used?home_controller.rb inherit from AuthenticatedController or ApplicationController?If you're on v17, and your Home controller is authenticated but your app is embedded, you are running into the issue I'm working on. If that is the case, you can replace your Home controller with the following as a temporary workaround:
class HomeController < ApplicationController
include ShopifyApp::EmbeddedApp
include ShopifyApp::RequireKnownShop
def index
@shop_origin = current_shopify_domain
end
end
UPDATE: This has been fixed under v17.0.3, please update your gem if you run into this issue.
Hey @paulomarg, thanks for your reply:
config/initializers/shopify_app.rb
unless defined? Rails::Generators
ShopifyApp.configure do |config|
config.application_name = "My Shopify App"
config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#api-keys')
config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#api-keys')
config.old_secret = ""
config.scope = "read_products" # Consult this page for more scope options:
# https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
config.embedded_app = true
config.after_authenticate_job = false
config.api_version = "2021-01"
config.shop_session_repository = 'Shop'
config.allow_jwt_authentication = true
config.allow_cookie_authentication = false
end
end
# ShopifyApp::Utils.fetch_known_api_versions # Uncomment to fetch known api versions from shopify servers on boot
# ShopifyAPI::ApiVersion.version_lookup_mode = :raise_on_unknown # Uncomment to raise an error if attempting to use an api version that was not previously known
What is the version of the shopify_app gem being used?
shopify_app (17.0.2)
Home Controller
# frozen_string_literal: true
class HomeController < AuthenticatedController
def index
@products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
@webhooks = ShopifyAPI::Webhook.find(:all)
end
end
I changed the home controller to the one you provided and can confirm that the app is rendered in the iframe.!!! ๐

The only caveat is that I would need to define some things for the shopify_api to fetch the products, but I can now work on my app!
THANKS
Ok, so - in the
rails v6.1.1project fileconfig/application.rb- try changing the line:config.load_defaults 6.1to
config.load_defaults 6.0Cannot explain yet why, but this seems to make it work - infinite redirect loops disappeared.
Another solution would be setting old cookies_same_site_protection value in rails v6.1.1:
# config/application.rb
# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 6.1
config.action_dispatch.cookies_same_site_protection = nil
@paulomarg
I created today (07/Feb) a vanilla shopify_app using the versions. I can confirm that, when it tries to embed the app, it goes into an infinite loop between
GET / | 302 Found
GET /login | 200 OK
GET /login | 302 Found
GET /auth/shopify 302 Found
ShopifyApp.configure do |config|
config.application_name = ENV.fetch('APPLICATION_NAME', '').presence || ""
config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY')
config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET')
config.old_secret = ""
config.scope = "read_products, read_orders"
config.embedded_app = true
config.after_authenticate_job = false
config.api_version = "2021-01"
config.shop_session_repository = 'Shop'
config.allow_jwt_authentication = true
config.allow_cookie_authentication = false
end
Versions:
ruby-2.7.2
Rails 6.0.3.4
shopify_app 17.0.5
Chrome 88.0.4324.150 on Ubuntu 18.04 LTS
Hey @onahkenneth, can you please confirm whether your app's home_controller.rb inherits from AuthenticatedController or ApplicationController? If it is authenticated, you'll want to replace it with the unauthenticated version to stop the infinite loop.
@paulomarg
This is my home_controller.rb
# frozen_string_literal: true
class HomeController < ApplicationController
include ShopifyApp::EmbeddedApp
include ShopifyApp::RequireKnownShop
def index
@shop_origin = current_shopify_domain
end
end
Been banging my head with this issue and my problem was I was on a non-embedded app and with allow_cookie_authentication = false. Allowing the browser to authenticate with cookies solved the issue.
In case you're interested my stack is Rails 5.2.x with shopify_app 17.0.5.
Most helpful comment
Hi @tanema ๐ Thanks for your reply, I really appreciate your help.
As you suggested, I've checked the
return_toparam in our OAuth call and can see that it's simply set to the root URL of our Rails application. It doesn't appear, therefore, that the problem is caused by sending the user back to the login page after successful authentication.In an effort to simplify the issue, I've created a brand new Rails app running the latest version the
shopify_appgem. With the exception of adding myserverless.socialURL to theconfig.hostsarray (config/environments/development.rb), I haven't changed any of the code. This is a fresh Rails app after having runrails generate shopify_app.I'm sorry to report that, even when running this minimal test-case, the redirect issue is still present in Google Chrome:
@tanema Would you mind cloning my minimal Rails app and running it locally in Google Chrome? You'll obviously need to set
ENV['SHOPIFY_API_KEY']andENV['SHOPIFY_API_SECRET']and somehow forward your localhost to the internet (ngrokorlocaltunnelfor example). I expect this will be enough to allow you to reproduce the issue.Thanks again for all your help and support ๐