What happens if app is already installed and one clicks install again

casedo
Shopify Partner
20 0 15

Hello, 

I have been trying to submit one of my apps for reviewing. One store (which is used for automation testing I suppose) already installed this app, when I tried to submit automation test fails because we are redirecting coming response to the app admin dashboard rather than oauth/request_grant

Is this flow wrong ? I have tried to reach out shopify support and ask them to uninstall our app from this testing store and we can resubmit again. 
After losing 1 hour with providing endless information in order to auth myself and explain the situation, they told me to come here and ask. 
So here we are. 

This is the rejection message. 
Am I understanding wrongly, I think it says when one reinstall after removing from store. I told same thing but support team told me it is not about store has already an app or not you need to redirect request_grant.

App must install successfully.
Your app does not request installation on the shop immediately after clicking "add app". Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected Oauth to be initiated at https://appstoretest5.myshopify.com/admin/oauth/request_grant but was redirected to https://appstoretest5.myshopify.com/admin/apps/xxxxxxxxxx.
Learn more about authentication in our developer documentation

Upsie ‑ Upsell & Cross Sell Show recommended & related products everywhere on your site.
Second Image Hover Animations converts product images on your site into dynamic ones with simply one click
The Detective FAQ outstanding FAQ page templates & Product FAQs
Replies 10 (10)

policenauts1
Trailblazer
174 13 39

To answer the question in your thread title, if a store clicks on "add app" and already has the app installed, it will just take them to the app. My guess is that you are not implementing OAuth correctly and are not generating the permission URL, and instead are just taking them to your app. 

The way you can verify that everything is working, is first uninstall your app (if it's already installed on a development store) and do the following:

  1. Go to your partner dashboard and find your app
  2. click "test on development store"
  3. Then find the development store and click install your app

You should be directed to the OAuth installation screen and then successfully go through the installation process. And then if you uninstall the app from your development store, you should see the OAuth page again when you repeat the above steps. More about OAuth here: https://shopify.dev/tutorials/authenticate-with-oauth

You will also need to make sure you're implementing the Billing API if your app will be paid. 

In your app listing, if you look at the logs, do you see that appstoretest5 has your app currently installed? The automated test store usually immediately uninstalls your app. 

ovidiucaramida
Shopify Partner
19 0 10

I have the exact same problem.

From what I could find out, it's not a problem with the initial installation of the app to the test store, it's about the reinstall. The app first gets installed correctly to the appstoretest5.myshopify.com, then it immediately uninstalls the app and tries to install it again. But the reinstallation fails and gets him to the appstoretest5.myshopify.com/admin/apps/xxxxxx page.

This is because my app didn't clear the session for the initial installation because it didn't know yet that the app was uninstalled. I have the webhook implemented for the app/uninstall topic and it works, the only problem is that shopify triggers the app uninstall event after 3 minutes or so. My app then clears the session for the initial install, but much to late because the automatic test already failed.

From what I can find on the forums this is a new issue and I hope it will get solved because it's really frustrating.

tecsploit
Tourist
10 0 2

I'm getting a similar issue, I submitted my app about 10 days ago, and it passed all the automated tests but failed the manual testing. I updated my app and submitted it yesterday and it failed with this error.

I've tested the app extensively on several dev stores and it installed, re-installs perfectly.

I've also noticed that the uninstall web hook has a delay before being triggered, I believe this was causing my failure initially, so I've updated to take this into account but I still get this issue. 

From my logs it's looking to me as though several tests are being run at the same time, for the same store, I'm woundering if one is invalidating the other

To prove I'm not going mad, I've rolled my code back to what I had 10 days ago, and this no longer passes the automated tests

If anyone can give any guidance on what has changed on the tests it would be much appreciated!!

 

Cheers

 

ovidiucaramida
Shopify Partner
19 0 10

I also tried to find a workaround for the webhook not triggering at the right time but could find any viable solution, because I can't identify when I am supposed to clear the session.

What did you try? 

tecsploit
Tourist
10 0 2

I'm storing the stores details on installation, and on the uninstall web hook I was deleting all the details, the issue was, the uninstall was happening mid way through the automated tests second test (due to the webhook delay) and because of the way I'm storing the data, this was causing the record to be deleted, so the second test was failing on the auth call back step.

My work around was to mark the record as uninstalled, instead of deleting it, and then the second test updates it back live, but I'm thinking there's clearly still an issue somewhere, due to the overlap of the second test and the uninstall webhook 

 

 

 

 

policenauts
Shopify Partner
206 10 66

@tecsploit how are you coding your logic to determine if the user should be directed to the OAuth permission URL again? Are you simply checking for the presence of an access token in your db, or are you actually doing a call to the shop endpoint to determine if the access token is still valid? An uninstall should render the access token invalid automatically.

tecsploit
Tourist
10 0 2

Hey,

Ive tried it a few different ways, in my original app, which got past the automatic checks but failed the user testing I was doing this, 

The main entry point for my apps was 

  1. https://myapp/api/install

Everytime this url I would

  • validate the hmac
  • validate the domain
  • store a record in my db with the shops info / update it if it already existed
  • redirect to "https://{storeurl}/admin/oauth/authorize?client_id={1}&scope={2}&redirect_uri={3}&state={4}&grant_options[]={5}"

This would trigger a call to the redirect url

     2. https://myapp/api/AuthCallback

When this url was called, everytime i would

  • validate the hmac
  • validate the domain
  • look for a record in my db and load it
  • validate the state
  • make a call to get a new access token https://{shop url}/admin/oauth/access_token
  • Save the token in my db
  • redirect to my stores main page, with my own store identifier 

I realised that i didnt need to regen an access token everytime, but it wasnt hurting anything so i left it in. This setup worked fine in dev stores for install / reinstall, with one acception (which is why i failed the human review) that was that on the initial install only, the last step, redirecting to my store would break out of the frame and load it in the same window, but outside of shopify. In this version i hadnt implemented the uninstall webhook.

To rectify the failed review, I found a post that suggested on the first install only, rather than redirecting to your app url, instead redirect to url that basically loads the app in the users store, so for my very last step I changed to direct to

  - https://{store url}/admin/apps/{app_id}"

I also modified my code, to track whether it was the first install or not, using the record i have in my db, navigating to this url, would cause shopify to re-initiate the auth flow, and as this wasnt the first install, this time after going through all the steps again, I would finally redirect back to my store. I tested this for install, reinstall on my dev store, and it worked perfectly - no breaking out of the frame. 

But after re-submitting I now fail the automated tests. Ive tried various changes since (including using a different url on the authorize step), and they all fail the automated tests with an error like

 'During install or reinstall we expected Oauth to be initiated at https://{store}.myshopify.com/admin/oauth/request_grant but was redirected to https://{mystoreaddress}/Learn more about authentication in our developer documentation'

I have noticed that on the test I passed, shopify used a different store to test against, that the current 'appstoretest5.' Im not suggesting that the shopify process is broken, but I have rolled my code back and submitted again only to find that it now fails the automated tests. 

To futher complicate things, I was deleteing my db records when the unistall web hook was fired, and due to the delay between the webhook being fired, it was getting fired part way through a test, causing me to delete my db record (as it had the same shopify domain) which was breaking my code. I beleive i fixed this issue, but still fail (I've also tried disabling the uninstall webhook to be sure)

Sorry for the long post, Im planning to re-align my code to how I had it initially - basically as per the docs and try again to get a base line and if that fails ill try my luck with shopify support.

Thanks!

 

composed
Excursionist
10 0 5

I'm having the same issue, tried the workaround on this post for adding /auth/inline to the app settings, but still doesn't work:

https://community.shopify.com/c/Shopify-Discussion/App-Got-Rejected-due-Redirect/td-p/711904

Getting this rejection message:

During install or reinstall we expected Oauth to be initiated at https://appstoretest5.myshopify.com/admin/oauth/request_grant but was redirected to https://appstoretest5.myshopify.com/admin/charges/4570677304/request_recurring_application_charge

I'm fairly certain this is related to the koa-shopify-auth package, because I went back and created a fresh install with Shopify CLI, and rolled my app code back to the most basic auth from the generated CLI project like this:

server.use(
    createShopifyAuth({
      apiKey: SHOPIFY_API_KEY,
      secret: SHOPIFY_API_SECRET,
      scopes: [SCOPES],

      async afterAuth(ctx) {
        //Auth token and shop available in session
        //Redirect to shop upon auth
        const { shop, accessToken } = ctx.session;
        ctx.cookies.set("shopOrigin", shop, {
          httpOnly: false,
          secure: true,
          sameSite: "none"
        });
        ctx.redirect("/");
      }
    })
  );

But this fails with the following message:

During install or reinstall we expected Oauth to be initiated at https://appstoretest5.myshopify.com/admin/oauth/request_grant but was redirected to https://appstoretest5.myshopify.com/admin/apps/39a9e5a0fa51c45df4d0063d418c252e/

I also tried updating my koa session config to timeout the session after 15 seconds to hopefully force verifyRequest() to redirect to /admin/oauth/authorize again, but that didn't work either.

At this point, since the basic CLI generated code also fails, I think we'll either have to roll our own auth, or wait for an update to koa-shopify-auth.

I'm primarily a Python dev, so it'd be a fair amount of work to create a new auth package, but I'm considering it.

Any other ideas out there?

Thanks!

tecsploit
Tourist
10 0 2

Hi,

I dont want to speak to soon, but I think ive now got my app past the automated tests, (it was being rejected after 10 mins, but its now been waiting about 10 hours I can see the tests have been run).

For me, I went back to following the oauth process as per the documentation, without the various changes Ide made based on various posts, so when my app url is called I now

  1. always validate the params being passed in
  2. validate the domain + hmac
  3. start the oath process using the authorize link as per the current version of the docs
  4. When my redirect url is executed by shopify, I validate the params, and hmac + state 
  5. I generate my token
  6. I then redirect to my app URL. The key is I always now redirect to the white listed App url

previously in the last step i directed to a url like https://appstoretest5.myshopify.com/admin/apps/39a9e5a0fa51c45df4d0063d418c252e/ on the first install, then to my white listed on subsequent calls. This was to stop me breaking out of the iframe on the first load (this was recommended in another post somewhere). while this worked fine on my dev store tests, i think the auto tests no longer like this for some reason. 

In order to stop breaking from the IFrame, I actually changed my website to stop the Iframe breaking issue - my auth calls are handled by serverless functions not in my website, so now in my website I detect if Im loaded outside of a frame, and if i am I redirect to a link like https://appstoretest5.myshopify.com/admin/apps/39a9e5a0fa51c45df4d0063d418c252e/ - its a subtle difference, but It seems to have got past the automatic tests - fingers crossed anyway.

On another note, it does seem that on my latest test run, the tests seem to be run quite a bit slower than they were on my previous runs - on previous runs they were almost running in parrellel - im not sure if that makes any difference or not.

Ill post again when i get my actuall result - but fingers crossed!!

thanks

ovidiucaramida
Shopify Partner
19 0 10

From what I managed to figure out, this is the actual piece of code that does the redirect:

ShopifyApp.init({
    apiKey: '{{ SHOPIFY_APP_API_KEY }}',
    shopOrigin: 'https://{{ user.myshopify_domain }}'
});
ShopifyApp.ready(function () {
    ShopifyApp.Bar.initialize({
        title: '',
        buttons: {}
    });
});

This redirects to the shopify page with the error. But if the app would be able to know that it was uninstalled from the shop, this code wouldn't get to be executed because the oauth would be done first.
So in my opinion the fact that the webhook for app/uninstall taking too long is still the real issue.