App Bridge v2 required host parameter is missing from the OAuth confirmation redirect's query string

dylanpierce
Shopify Partner
160 3 68

The v2 of the App Bridge was released yesterday:

https://shopify.dev/tutorials/migrate-your-app-to-app-bridge-2

However, the documentation claims that a `host` parameter will be passed as part of the query string in the request back to my API during the OAuth handshake.

The issue is that this is not the case. The query string only contains these parameters:

* hmac
* code
* shop
* state (a.k.a. the nonce)

Even the OAuth documentation doesn't mention this new parameter: https://shopify.dev/tutorials/authenticate-with-oauth#step-3-confirm-installation

I have written a test in `shopify-nextjs-toolbox` to prove that all query string parameters are passed correctly. The query string simply just doesn't have the `host` parameter that's needed to instantiate the AppBridge v2 in the frontend.

Can we have an explanation for this? Is there a special parameter we need to set at the start of the OAuth flow to tell Shopify's API that this is flow needs a `host` parameter?

Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
Replies 26 (26)
dylanpierce
Shopify Partner
160 3 68

Update to everyone else following this thread.

I've spoken with a Shopify rep and they're working to fix the issue. Will update here when I have a response and confirm the fix.

Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
mikeastral
Tourist
5 0 4

Any news regarding this issue? From what I see the issue still remains.

ArchitechproOU
Shopify Partner
77 2 11
hannachen
Shopify Staff
Shopify Staff
54 8 17

Hi everyone, thank you for your patience and being one of the first to jump into upgrading. Really appreciate the fast reporting of this issue.

The fix for the missing `host` search param during auth is in and it's currently being rolled out. Some apps should start seeing it today, and more in the next couple of days.

Hanna | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

BoxUp
Shopify Partner
38 1 15

Hi Hanna,

Suddenly, stores are unable to install our app as the signature check is failing, despite no changes on our end.

Please could you explain what's been updated exactly?

Thanks

BoxUp
Shopify Partner
38 1 15

Possibly unrelated. Working normally now...

Vostario
Tourist
12 0 2

What does host mean in the query?  hostname of the App / hostname of the store?

 
 

 

 

hannachen
Shopify Staff
Shopify Staff
54 8 17

Thanks for the followup, I don't believe changes were made to `shop`, host was added on top of shop. Glad to hear that it's working properly now.

Hanna | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

hannachen
Shopify Staff
Shopify Staff
54 8 17

`host` url parameter is the hostname of the store, used by the App Bridge 2.0 client. It's a different version of `shop` as described in the Get and store the shop origin guide.

Hanna | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

AurimasR
New Member
2 0 1

Hello,

do I understand correctly that the `host` parameter is added to the whole OAuth process? Because in our app we're not using App Bridge or Embedded Apps but the installation is not working because of the failing hmac verification.

BoxUp
Shopify Partner
38 1 15

Hi @AurimasR 

Double check that you are including all parameters, other then the hmac param itself, when you create your hmac to compare to Shopify's.

I think it mentions on the documentation somewhere that parameters are subject to change, so remove the hmac param and include all else.

Thanks

AurimasR
New Member
2 0 1

@BoxUp We were dependent on the exact parameters. But you are right, I see it is mentioned in the documentation that parameters are subject to change.

Thanks!

Michelle_C
New Member
6 0 0

Hi Hanna,

We also faced a similar issue.
Just want to ask that every time there is an update of API or params or things like that, will we be noticed via e-mails or other messages? So we are able to prevent possible problems.

And if there won't be notices, do you have any ideas that what we can do?
Thanks.

playwright-matt
Shopify Partner
72 18 27

I was struggling with this for a few days. Looks like this change is coming in 18.0.0

https://github.com/Shopify/shopify_app/pull/1241/files

 

This is what will be included in 18.0.0

https://github.com/Shopify/shopify_app/pull/1252

Playwright | Create Shopify Scripts without writing code | https://playwrightapp.com
- Was my reply helpful? Please Like and Accept Solution.

Michelle_C
New Member
6 0 0

Hi @hannachen 

We also faced a similar issue.
Just want to ask that every time there is an update of API or params or things like that, will we be noticed via e-mails or other messages? So we are able to prevent possible problems.

And if there won't be notices, do you have any ideas that what we can do?
Thanks.

manuel-platlan
New Member
1 0 0

 We face the same problem.

Where can I find the information?  in order to solve it.

cormacncheese
Shopify Partner
8 0 0

Any update on this?

My app was rejected for this and I'm still not able to find the required 'host' param

dylanpierce
Shopify Partner
160 3 68

It appears that this issue still persists and Shopify has put the permanent fix on backlog.

As a temporary workaround - I recommend 2 things:

 

1. Using AppBridge v1 until Shopify releases a fix for this issue. Instead of using the missing `host` parameter as the instantiating string for the AppBridge, instead you can use `shopOrigin` (aka *.myshopify.com)

 

2. If for some reason you need to use AppBridge v2, unofficially the `host` parameter is just the `shopOrigin` base64 encoded. I haven't verified this myself but I've heard from a number of other developers they're using this as a workaround. However, if Shopify gets around to fixing the `host` parameter and decides to actually make it more secure by encrypting with your App's private key instead of encoding - well your authentication could break.

I would recommend v1 over using v2 until we have an official announcement and debrief over what went wrong with the v2 release. I was told back in April a fix was in the works but it's regressed or was never fixed.

Founder of Verdict - Anti-Fraud Apps for Shopify
  • Blockade - Easily block countries, IP addresses, VPNs
  • Real ID - Verify your customer's real IDs easily & securely
mikeastral
Tourist
5 0 4

Based on @dylanpierce I would like to add a 3 workaround I discovered on my testing stores, not sure if it works for non-testing stores, it is a little tricky, but until now it has been consistent in my testing stores.

1. After installation, every time the App is launched from the "Apps" section, the host param will be included in the incoming request params, so in this way, you can design a middleware that grabs and stores this param in a database; and then use it anytime you need it to pass it to AppBridge v2.

2. During installation, this host param is still not passed at all, so what you can do is to perform a redirect into the parent window, simulating the action of opening the App from the "Apps" section.

After installation, the behavior will be as point 1.