So my logs were suddenly oAuth Failed, CSRF
No rhyme no reason, just failing... so I jammed a quick
in my oAuth config block and things worked again. Of course that is a security thing, but I am not terribly worried as this is a single client very specialized App, not some public behemoth. So my question is, when you start seeing that oAuth fail again... what is causing that? Something changed? This is Shopify API library 9.2 and latest Rack, with all the fixes for Chrome Samesite cookie.
Never mind. I went back to allowing state, as it all works. Was actually a bug in a different part of the oAuth flow causing the catch-all-because-this-has-never-really-been-fleshed-out-well CSRF error. Was actually a cookie problem.