FetchError: request to /admin/oauth/access_token failed, ETIMEDOUT, causes 504 Gateway Time-out

13 1 2

Hi all, 

I followed the Node and React app tutorial: https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react

I'm able to use ngrok to run the app locally and inside the Shopify iframe, but now that I have it deployed on AWS, the call to https://example.org/some/redirect/uri?code={authorization_code}&hmac=da9d83c171400a41f8db91a95050898... in step 3 here is timing out with a 504 in the browser. I'm using the createShopifyAuth function from koa-shopify-auth, so I haven't actually written any of the code to authenticate manually, but here's the full error I'm getting on the server side:


  FetchError: request to https://test-store-for-indeed-partnerships.myshopify.com/admin/oauth/access_token failed, reason: connect ETIMEDOUT
      at ClientRequest.<anonymous> (/usr/src/app/node_modules/node-fetch/index.js:133:11)
      at ClientRequest.emit (events.js:198:13)
      at ClientRequest.EventEmitter.emit (domain.js:448:20)
      at TLSSocket.socketErrorListener (_http_client.js:401:9)
      at TLSSocket.emit (events.js:198:13)
      at TLSSocket.EventEmitter.emit (domain.js:448:20)
      at emitErrorNT (internal/streams/destroy.js:91:8)
      at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)
      at process._tickCallback (internal/process/next_tick.js:63:19)



note that I am getting an actual authorization code. The path in the request is this: 



:path: /auth/callback?code=4a47e127f259123078212ae49c8974e6&hmac=c3f232e252e174339bd3aabc801f9ef6dccf397c1a4cdd96dd3d7d535a44e23c&shop={example-test-store-uri}&state=159842804415200&timestamp=1598428044



However I do notice that the successful request from my local app sets these cookies, but the AWS deployed app does not: 


Set-Cookie: shopOrigin={example-store-url}; path=/; samesite=none; secure
Set-Cookie: shopOrigin.sig=lrc5CvO8l3EDTrb_0MXsTD6dSO0; path=/; samesite=none; secure
Set-Cookie: koa.sess=eyJzaG9wIjoidGVzdC1zdG9yZS1mb3ItaW5kZWVkLXBhcnRuZXJzaGlwcy5teXNob3BpZnkuY29tIiwiYWNjZXNzVG9rZW4iOiJzaHBhdF82ZTgxZWU5ODZiMzA0NzY5ODk4OTlmMGJkMWI0NzI4ZiIsIl9leHBpcmUiOjE1OTg1MTU0NjQ0NjIsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==; path=/; expires=Thu, 27 Aug 2020 08:04:24 GMT; samesite=none; secure; httponly
Set-Cookie: koa.sess.sig=tOUKOCQ1yWvooOfDcnkoKnVC51M; path=/; expires=Thu, 27 Aug 2020 08:04:24 GMT; samesite=none; secure; httponly



Can someone help me figure out why I'm getting the 504/FetchError when calling the access_token endpoint? It seems the code being returned isn't valid, or perhaps the cookies aren't being set correctly.

13 1 2

This is an accepted solution.

Figured it out. After a lot of troubleshooting I was able to determine that our backend service was set up on public subnets in AWS that didn't have a NAT gateway attached. I figured this out by SSH'ing into the EC2 containers, curling some URLs, and then doing so in the docker containers as well, where I found out that the latter wasn't able to curl anything. That helped narrow it down a lot.

Other things I checked:

AWS Security groups for the ECS instances (all good) https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/

Docker ports for the container



The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.

New Member
5 0 0

For everybody using Google Cloud instead of AWS:

I had the same issue and the reason for me was that I'm hosting my app inside a private GKE (Google Kubernetes) Cluster in which pods are not allowed to receive and send data from and to the internet.

The solution was to add a Cloud NAT Gateway for the corresponding pods.

Start here to get an idea of how this is done: https://cloud.google.com/nat/docs/gke-example

New Member
1 0 0