Migrating from shop-based to user-based token strategy

[tarekrahme]

Issue summary

Before opening this issue, I have:

• shopify_app version: 21.10

• Ruby version: 3.3.0

• Found a reliable way to reproduce the problem that indicates it's a problem with the package

• Looked for similar issues in this repository

• Checked that this isn't an issue with a Shopify API

I am moving an existing app with existing shops using the app from shop-based token to user-based token
I followed the 3 steps listed here: https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/sessions.md#migrating-from-shop-based-to-user-based-token-strategy

My belief is that it means I keep shops and users at the same time

When I try to install the app I see multiple OAuth attempts in my logs (goes to '/login?host...' then '/auth/shopify/callback?...' multiple times in a row)
Then the webpage shows an error mentioning too many redirects and I am taken back to Shopify Admin and shown an error message that an error occurred with the app

Expected behavior

App is installed / open / goes through OAuth, and user is created or found in the app db (same as what happens with shops basically)

Actual behavior

Error message, multiple OAuth attempts / redirects (as described above)

Steps to reproduce the problem

1. Take an existing app with shop-based token
2. Follow 3 steps to migrate to user-based token (link above)
3. Open app / install app on store

Debug logs

[zzooeeyy]

Hey @tarekrahme, I'm sorry to hear about this issue you have encountered. I tried to reproduce this on my end with a new app created from the Shopify ruby template app to migrate from shop based to user based sessions and I wasn't able to reproduce problem.

But here are some more debugging solutions to get more insight into the issue -

• If your app is non-embedded, ensure the cookies are setup properly
• Capture a HAR file for the OAuth process to analyze network activity during that time.
• Capture debug logs in the app by configuring:

# config/initializers/shopify_app.rb
ShopifyAPI::Context.setup(
#.......
log_level: :debug,
)

[UmerQaisar]

I implemented User Session on my app. shopify_app gem version 21.2.0 and shopify_api gem 12.2.0. I was able to configure this correctly.

While using the shopify_app gem version 21.10 and shopify_api version 13.4.0, I got the same problem.

(Corrected)

[tarekrahme]

Hey @zzooeeyy
Thanks, will try your debugging suggestions
Hey @UmerQaisar
Thanks a lot! This is very interesting, will try changing gem versions!

[tarekrahme]

Hey @UmerQaisar
Are you sure about the versions? They seem incompatible, here is the message I am getting:

[tarekrahme]

@zzooeeyy My app is non-embedded. Would that cause an issue with that migration? What checks can I make to check if the cookies are set correctly?

[tarekrahme]

@zzooeeyy
I dug a bit
I added the callback controller to my code so I can debug step by step

In my gem version (21.10.0) the callback method is:

  def callback
    begin
      api_session, cookie = validated_auth_objects
    rescue => error
      deprecate_callback_rescue(error) unless error.class.module_parent == ShopifyAPI::Errors
      return respond_with_error
    end

    save_session(api_session) if api_session
    update_rails_cookie(api_session, cookie)

    return respond_with_user_token_flow if start_user_token_flow?(api_session)

    perform_post_authenticate_jobs(api_session)
    redirect_to_app if check_billing(api_session)
  end

The issue is happening in

return respond_with_user_token_flow if start_user_token_flow?(api_session)

In fact start_user_token_flow?(api_session) is returning true
The app is being redirected to login and then to callback immediately (no user interaction to OAuth again)
So the app is back to callback method. Goes through it and hits again

return respond_with_user_token_flow if start_user_token_flow?(api_session)

start_user_token_flow?(api_session) returns true once again

etc.. you get the idea. So it gets in this loop 3 times with start_user_token_flow?(api_session) never becoming false.
The app complains there are too many redirects and crashes

I dug into the method start_user_token_flow?

  def start_user_token_flow?(shopify_session)
    return false unless ShopifyApp::SessionRepository.user_storage.present?
    return false if shopify_session.online?

    update_user_access_scopes?
  end

ShopifyApp::SessionRepository.user_storage.present? returns true obviously
shopify_session.online? is false

And update_user_access_scopes? always returns true
So this method is always returning true
This is the method:

  def update_user_access_scopes?
    return true if session[:shopify_user_id].nil?

    user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
  end

In my case session[:shopify_user_id] is nil

So this method is always returning true

Do you have any clue about what is not behaving as expected? Maybe session[:shopify_user_id] should not be nil?
I hope this helps pinning down the issue!

Thanks so much!

[zzooeeyy]

Hey @tarekrahme --

session[:shopify_user_id] is set in this method update_rails_cookie in the CallbackController. You could inspect all the api_session object from the requests to your CallbackController and see whether that session[:shopify_user_id] has been set correctly?

[tarekrahme]

Hey @zzooeeyy
Thanks for your suggestion

The issue has disappeared with shopify_app gem version 21.2.0
So it seems like something was working and has stopped working since 🤷🏻‍♂️
I'll have to stay on that gem version until a fix is made

[zzooeeyy]

I'll add this to our backlog and take a look when we get a chance. Thanks!