Access denied mystery

Highlighted
New Member
2 0 0

I am writing a custom shipping app in Python Flask using the Shopify API library. The app listens for the order paid webhook and then calls the REST API using Basic Auth to check the stock amount and set a custom field on the order. It seems that about 90% of attempts to connect to the REST API are rejected with a 403 Access Denied message, however the webhook keeps retrying until success and my test cases are eventually completing correctly. The client of course wants their custom app to be as close to real time as possible.

I am at a loss as to why the same credentials are allowed / fail to authenticate randomly.

 

I captured the headers from the log file where the attempt to connect to the API is rejected:

----------------------
pyactiveresource.connection.ForbiddenAccess: Response(code=403, body="b'{"errors":"[API] Invalid Username provided for Basic Auth API access"}'", headers={'Date': 'Fri, 04 Sep 2020 13:05:19 GMT', 'Content-Type': 'application/json; charset=utf-8', 'Transfer-Encoding': 'chunked', 'Connection': 'close', 'Set-Cookie': '__cfduid=d728850c91c5ab50a45af145cbc334e951599224719; expires=Sun, 04-Oct-20 13:05:19 GMT; path=/; domain=.myshopify.com; HttpOnly; SameSite=Lax', 'X-Sorting-Hat-PodId': '160', 'X-Sorting-Hat-ShopId': '40221376673', 'Vary': 'Accept-Encoding', 'Referrer-Policy': 'origin-when-cross-origin', 'X-Frame-Options': 'DENY', 'X-ShopId': '40221376673', 'X-ShardId': '160', 'Strict-Transport-Security': 'max-age=7889238', 'X-Request-Id': '95cb11e2-752b-4fdb-a342-5f3074fefed8', 'X-Shopify-Stage': 'production', 'Content-Security-Policy': "default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.us.shopifycs.com https://js-agent.newrelic.com https://bam.nr-data.net https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com https://widget.intercom.io https://js.intercomcdn.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin_api&source%5Buuid%5D=95cb11e2-752b-4fdb-a342-5f3074fefed8", 'X-Content-Type-Options': 'nosniff', 'X-Download-Options': 'noopen', 'X-Permitted-Cross-Domain-Policies': 'none', 'X-XSS-Protection': '1; mode=block; report=/xss-report?source%5Baction%5D=show&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin_api&source%5Buuid%5D=95cb11e2-752b-4fdb-a342-5f3074fefed8', 'X-Dc': 'gcp-us-central1,gcp-us-central1', 'set-cookie': '__cfduid=d728850c91c5ab50a45af145cbc334e951599224719; expires=Sun, 04-Oct-20 13:05:19 GMT; path=/; domain=.myshopify.com; HttpOnly; SameSite=Lax', 'CF-Cache-Status': 'DYNAMIC', 'cf-request-id': '04fad1bed60000ed67b0822200000001', 'Expect-CT': 'max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"', 'Server': 'cloudflare', 'CF-RAY': '5cd7ebde2db0ed67-SJC', 'alt-svc': 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400'}, msg="Forbidden")
----------------------

0 Likes
Highlighted
Shopify Partner
62 5 14

What is the request you are sending to get this response?

Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!
0 Likes
Highlighted
Shopify Expert
4188 29 410

Since when can you even make an API call with Basic Auth? What is a Username to you? What are you doing? Are you not using a token like everyone else?

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
Highlighted
Shopify Partner
62 5 14

@HunkyBill since about 2016.

Maybe read the docs?

https://shopify.dev/tutorials/authenticate-a-private-app-with-shopify-admin#make-authenticated-requests

There are limitations to Basic Auth but I suspect the OPs issue is with Flask's handling of cookies, rather than the auth method.

Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!
0 Likes