Embedded Public App: Node backend: Authenticated OK, Access Token received. Immediately invalid

Solved
Shopify Partner
15 1 4

Hi there,

 

As the title suggests - I've done all the ground work; the install URL, the redirect back to Shopify, retrieve the access token - even loaded my app start page into the Shopify iframe. All good.

 

BUT - as soon as I attempt to use the retrieved access token - anywhere - I get a 401 Unauthorized error.

I have tried both the graphQL (admin, and my preference) and REST endpoints. I have tried to use it to download the graphql schema. I have tried POSTMAN, I have tried curl.

 

What is it that I am missing here?

According to the documentation - which, whilst there is alot of it, tends to only cover the "happy path" - I am using offline token(s) [docs] that should be valid for as long as the store has my app installed (or, as per docs: "After obtaining offline access to a store, it is only necessary to re-authorize an application after it has been uninstalled, or when the application must request additional access scopes").

The documentation and forum posts cover a lot of ground but not all of it is in sync either.

 

From my understanding:

  • my (APP) API Key found in the App Setup page on my partner dashboard is used as the client_id to request a one-time code
  • (after validating HMAC) this code is used, along with my (APP) API Key, and my (APP) API Secret Key to request an Access Token
  • this Access Token, is used as a X-Shopify-Access-Token header when requesting from:
  • As long as mystore.myshopify.com has my app installed, this AccessToken should be valid

And my current experience:

  • the oAuth handshake, while painful/tedious, using API Key/Secret/Code etc. works
  • any further request using the AccessToken doesn't work

And further, possibly relevant experience:

  • https://apikey:apisecret@mystore.myshopify.com/admin[/api.graphql | shop].json emits 401
  • header 'Authorization: Basic [encrypted apikey/apisecret]' emits 401
  • The GraphQL Admin API does not have all that we require anyway - so I'll need to juggle requests between GraphQL and the REST API. Ugh.

Invested in this process, really need this to work.

 

Cheers

Steve

1 Like
Shopify Partner
15 1 4

@KarlOffenberger ?

 

Any thoughts here?

0 Likes
Shopify Partner
1838 173 559

Hello!

 

Well sounds like you already went through an extensive list of options there. Haven't had any issues with the issues access token whatsoever, least of all 401 unauthorised. You say you can launch your app in embedded no problems, so the store has already granted the access scopes. The auth process you describes is by the book - how are you generating your HMAC (yourself, koa auth package, express auth package)? Invalid HMACs often cause 401's for people trying to use webhooks so maybe it could be a similar issue here.

 

Really can't think of much more. Would be something for Shopify folk to check in their logs.

I turn coffee in to code - since 1998
0 Likes
Shopify Partner
15 1 4

Thanks @KarlOffenberger - I'm awaiting a reply through official channels. 

 

HMAC - I am generating the HMAC using the nodejs crypto package, ie.

 

 const generatedHash = Buffer.from(
            crypto
              .createHmac(
                'sha256',
                ConfigService.get('server').shopifyApiSecret,
              )
              .update(message)
              .digest('hex'),
            'utf-8',
          );

I would have assumed that if there was a problem with the HMAC that it would fail when I check it against the HMAC returned from shopify?

 

I've looked at this from multiple angles and have got nowhere. And without a response from the support team who can check the errors in the logs - the opaque 401 is a dead end for me. Let's hope they get back to me soon. Is there an official shopify member on the forum here I can ping?

 

Cheers

Steve

0 Likes
Shopify Partner
15 1 4

Finally received a response from Shopify support:

 

Hey Steve! Mac here from Partner support.

I'm afraid you are going to need to post this question in the forums! We don't currently have the capacity to troubleshoot API issues like this 1:1. We just don't have the trained support staff to handle these kind of issues, so what I would do is copy/paste this email into a new forums post at - Developer Forums! Unless you can find a similar post where someone has already tackled something similar.

Wish there was more we could do here!

Best regards,

 

So, leaving aside the fact that the first line of my email included the information that I had already cross-posted the content to the forum; this is a very unhelpful stance.

You would think looking into the logs would be the very least they could do - I understand crowd-sourcing the problem to the app developers that live and breathe this stuff... but really? I posted this problem 5 days ago and while Karl responded it's not his job! I get the feeling he would have helped me if he could. Maybe shopify should allow us access to the logs for our apps?

 

Is this forum even monitored by shopify? 

 

Thanks @KarlOffenberger for your help - much more help than shopify.

 

 

0 Likes
Highlighted
Shopify Partner
26 1 5

Signing (HMAC) is clearly not your issue if you're able to acquire an access token.

 

Sounds like you're not sending the header (X-Shopify-Access-Token) or the value you're sending is not what you think it is.

 

Are you sure you're sending the requests to the API endpoints of the shop for which the token was acquired? For example, if you have two development shops, the installation process and therefore the tokens for each of them would be different (apologies if it's obvious to you).

 

Update: in your original post you also mention sending or trying with API key and API secret key, but that's plain wrong for a public app. You should only be making calls with tokens acquired associated with a particular shop.

1 Like
Shopify Partner
1838 173 559

Ah but they do frequent the forums frequently. Probably not on a Sunday evening though.

 

What's in your message? Just asking because typically you'd take the querystring and remove hmac and signature for the message.

I turn coffee in to code - since 1998
0 Likes
Shopify Partner
1838 173 559

True what @JazepsBasko wrote!

I turn coffee in to code - since 1998
0 Likes
Shopify Partner
15 1 4

Thanks @KarlOffenberger

const map = Object.assign({}, request.query);
                delete map.signature;
                delete map.hmac;
                const message = querystring.stringify(map);

Of course, it's Monday AM here in Australia.

0 Likes
Shopify Partner
15 1 4

Thanks @JazepsBasko

 

I agree HMAC not the issue. 

Definitely only have one development store. 

My app is currently borked due to me mucking around with it.. so I can't take a screenshot. But I am certain that I acquired the access token from the X-Shopify-Access-Token that is returned when POSTing to: https://mystore.myshopify.com/admin/oauth/access_token

 

I'm not sure what you mean regarding NOT sending the API secret Key. According to the documentation here: Step 3: Confirm installation it quite clearly says to use the API Key and the API Secret Key to exchange for an access token.

"The server responds with an access token:"
Which is where I am retrieving and storing the Access token from - as mentioned above.

 

I would not be surprised if this documentation incorrect - can you confirm what I am meant to be using instead?

 

0 Likes