OAuth failed with csrf_detected error

Tourist
9 0 1

Hello, we have our app published recently. We have a user installed our app but there's no database record of the user. Upon checking production log, we found out that there's this csrf_detected error being returned but it only happened once and we couldn't replicate it internally. What are the possible reasons for getting this error message?

 

We're using Ruby on Rails with shopify_gem for auth management and our app is not an embedded app.

 

I, [2019-10-16T07:25:57.817527 #22658]  INFO -- : [8038fc5a-543b-4ea1-9f00-b343c44f1011] Started GET "/auth/shopify/callback?code=9f529e1d87e327371cc5b40d45038231&hmac=6ad69e7838b16d68ea8876c569bdb14af17e0034f632669d83b49f97de6ac812&shop=theshop.myshopify.com&timestamp=1571210757" for <ip> at 2019-10-16 07:25:57 +0000
I, [2019-10-16T07:25:58.049474 #22658]  INFO -- : [3808a12e-d186-4f7c-a2e2-22366b340040] Started GET "/auth/failure?message=csrf_detected&origin=https%3A%2F%2Fapps.shopify.com%2F&strategy=shopify" for <ip> at 2019-10-16 07:25:58 +0000
I, [2019-10-16T07:25:58.050419 #22658]  INFO -- : [3808a12e-d186-4f7c-a2e2-22366b340040] Processing by HomeController#index as HTML
I, [2019-10-16T07:25:58.050479 #22658]  INFO -- : [3808a12e-d186-4f7c-a2e2-22366b340040]   Parameters: {"message"=>"csrf_detected", "origin"=>"https://apps.shopify.com/", "strategy"=>"shopify", "path"=>"auth/failure"}
I, [2019-10-16T07:25:58.051142 #22658]  INFO -- : [3808a12e-d186-4f7c-a2e2-22366b340040] Redirected to https://ourapp.com/login?return_to=%2Fauth%2Ffailure%3Fmessage%3Dcsrf_detected%26origin%3Dhttps%253A%252F%252Fapps.shopify.com%252F%26strategy%3Dshopify
I, [2019-10-16T07:25:58.051264 #22658]  INFO -- : [3808a12e-d186-4f7c-a2e2-22366b340040] Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
I, [2019-10-16T07:25:58.135039 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d] Started GET "/login?return_to=%2Fauth%2Ffailure%3Fmessage%3Dcsrf_detected%26origin%3Dhttps%253A%252F%252Fapps.shopify.com%252F%26strategy%3Dshopify" for <ip> at 2019-10-16 07:25:58 +0000
I, [2019-10-16T07:25:58.135838 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d] Processing by ShopifyApp::SessionsController#new as HTML
I, [2019-10-16T07:25:58.135896 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d]   Parameters: {"return_to"=>"/auth/failure?message=csrf_detected&origin=https%3A%2F%2Fapps.shopify.com%2F&strategy=shopify"}
I, [2019-10-16T07:25:58.146373 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d]   Rendering shopify_app/sessions/new.html.erb
I, [2019-10-16T07:25:58.147403 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d]   Rendered shopify_app/sessions/new.html.erb (1.0ms)
I, [2019-10-16T07:25:58.147591 #22658]  INFO -- : [9fb62ca7-8e46-428d-b934-787e1336cb2d] Completed 200 OK in 3ms (Views: 1.5ms | ActiveRecord: 0.0ms)
0 Likes
Shopify Staff
Shopify Staff
190 21 21

 

Hi @Yoon 


The issue is with OAuth and the Shopify Gem. It typically is an issue with state that is causing the auth/failure message. Can you please try the troubleshooting listed here on the Github Repo and this issue here. 

Vix | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 


0 Likes
Highlighted
Tourist
9 0 1

Is there a way to replicate unexpected state as stated? I've failed to replicate this in my local environment and it only happened once.

0 Likes