Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
So it seems Apps built with the Shopify App gem get rejected for 2 main reasons.
1. CSP click jacking
2. not returning a 401 on GDPR
So the App comes with CSP click jacking code, issued by Shopify. Add that to your App, and it prove it works. You still get rejected by Shopify App robot for CSP violation. WTF?
Shopify App gem handles webhooks. So you set your App endpoints for GDPR processing, and the endpoint in your App gets called and all is well. But you get rejected because the App fails to return a 401?
Why is that even a thing? Why has Shopify not included that in their Shopify App gem code if it is so important.
Anyway... good luck getting past the broken App Submission robot. Anyone have any hot tips on these two issues
We have solved the second issue by checking in PHP if the user is not authenticated and return a 401 response code.
http_response_code(401);
We were able to fix this error, however, we are also rejected with the first error although CSP is implemented cleanly in all scripts.
With the following URL you can make a call via the terminal and see if the Content-Security-Policy directive takes effect:
curl -I -X GET "https://app-domain.com/site"
Still waiting on a reason from Shopify why we got rejected.
We finally found a solution to our content-security-policy rejection issue.
First of all there are automated security checks that are run before the app reaches the review team.
The reason we were failing this scan is due to an iframe redirection that tries to embed a Shopify URL.
You can see the caution in the documentation here on how to resolve this.
The OAuth flow won't work if it's conducted inside an iframe. If your app is an embedded app, then you need to make sure that you've done a full-frame redirect to take over the top frame of the browser before redirecting to the app authorization link.
Shopify App Bridge offers a Redirect action that makes full-frame redirects possible. For more information, refer to the section on OAuth authorization with Shopify App Bridge.
You must take over the top iframe instead of a redirection within the iframe.
In our case we build our app with PHP so redirecting by "header('Location: ')" would only redirect the iframe and not the top frame. So we used javascript to redirect.