Re: Shopify ruby template , APP_UNINSTALLED webhook delivery failed, Can't verify CSRF token.

Shopify ruby template , APP_UNINSTALLED webhook delivery failed, Can't verify CSRF token.

Dumydev
Shopify Partner
5 0 1

I created a Shopify app by Shopify ruby template with this command

 

 

npm init @Shopify/app@latest -- --template=ruby

 

 

 I followed instruction of this Doc https://github.com/Shopify/shopify-app-template-ruby 
After setup when i run npm run dev to start server
i got these logs 

 

 

15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │ > shopify-frontend-template-react@1.0.0 dev
15:16:32 │ web-frontend │ > vite
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │   VITE v4.5.0  ready in 332 ms
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │   ➜  Local:   http://localhost:40627/
15:16:32 │ webhooks     │ Sending APP_UNINSTALLED webhook to app server
15:16:33 │ web-backend  │ => Booting Puma
15:16:33 │ web-backend  │ => Rails 7.0.8 application starting in development 
15:16:33 │ web-backend  │ => Run `bin/rails server --help` for more startup options
15:16:33 │ web-backend  │ "Inside----------------------------------------- AppUniNstalled JOb"
15:16:33 │ web-backend  │ Puma starting in single mode...
15:16:33 │ web-backend  │ * Puma version: 5.6.7 (ruby 3.1.2-p20) ("Birdie's Version")
15:16:33 │ web-backend  │ *  Min threads: 5
15:16:33 │ web-backend  │ *  Max threads: 5
15:16:33 │ web-backend  │ *  Environment: development
15:16:33 │ web-backend  │ *          PID: 66023
15:16:33 │ web-backend  │ * Listening on http://127.0.0.1:41021
15:16:33 │ web-backend  │ * Listening on http://[::1]:41021
15:16:33 │ web-backend  │ Use Ctrl-C to stop
15:16:35 │ web-backend  │ Started POST "/api/webhooks" for 127.0.0.1 at 2023-12-01 15:16:35 +0530
15:16:35 │ web-backend  │   ActiveRecord::SchemaMigration Pluck (0.1ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY 
"schema_migrations"."version" ASC
15:16:35 │ web-backend  │ "Insiede Application Controller"
15:16:35 │ web-backend  │ Processing by HomeController#index as */*
15:16:35 │ web-backend  │   Parameters: {"id"=>548380009, "name"=>"Super Toys", "email"=>"super@supertoys.com", "domain"=>nil, 
"province"=>"Tennessee", "country"=>"US", "address1"=>"190 MacLaren Street", "zip"=>"37178", "city"=>"Houston", "source"=>nil, 
"phone"=>"3213213210", "latitude"=>nil, "longitude"=>nil, "primary_locale"=>"en", "address2"=>nil, "created_at"=>nil, "updated_at"=>nil, 
"country_code"=>"US", "country_name"=>"United States", "currency"=>"USD", "customer_email"=>"super@supertoys.com", "timezone"=>"(GMT-05:00) 
Eastern Time (US & Canada)", "iana_timezone"=>nil, "shop_owner"=>"John Smith", "money_format"=>"${{amount}}", 
"money_with_currency_format"=>"${{amount}} USD", "weight_unit"=>"kg", "province_code"=>"TN", "taxes_included"=>nil, 
"auto_configure_tax_inclusivity"=>nil, "tax_shipping"=>nil, "county_taxes"=>nil, "plan_display_name"=>"Shopify Plus", "plan_name"=>"enterprise",
 "has_discounts"=>false, "has_gift_cards"=>true, "myshopify_domain"=>nil, "google_apps_domain"=>nil, "google_apps_login_enabled"=>nil, 
"money_in_emails_format"=>"${{amount}}", "money_with_currency_in_emails_format"=>"${{amount}} USD", "eligible_for_payments"=>true, 
"requires_extra_payments_agreement"=>false, "password_enabled"=>"[FILTERED]", "has_storefront"=>true, "finances"=>true, 
"primary_location_id"=>655441491, "checkout_api_supported"=>true, "multi_location_enabled"=>true, "setup_required"=>false, 
"pre_launch_enabled"=>false, "enabled_presentment_currencies"=>["USD"], "transactional_sms_disabled"=>false, 
"marketing_sms_consent_enabled_at_checkout"=>false, "path"=>"api/webhooks", "home"=>{"id"=>548380009, "name"=>"Super Toys", 
"email"=>"super@supertoys.com", "domain"=>nil, "province"=>"Tennessee", "country"=>"US", "address1"=>"190 MacLaren Street", "zip"=>"37178", 
"city"=>"Houston", "source"=>nil, "phone"=>"3213213210", "latitude"=>nil, "longitude"=>nil, "primary_locale"=>"en", "address2"=>nil, 
"created_at"=>nil, "updated_at"=>nil, "country_code"=>"US", "country_name"=>"United States", "currency"=>"USD", 
"customer_email"=>"super@supertoys.com", "timezone"=>"(GMT-05:00) Eastern Time (US & Canada)", "iana_timezone"=>nil, "shop_owner"=>"John Smith",
 "money_format"=>"${{amount}}", "money_with_currency_format"=>"${{amount}} USD", "weight_unit"=>"kg", "province_code"=>"TN", 
"taxes_included"=>nil, "auto_configure_tax_inclusivity"=>nil, "tax_shipping"=>nil, "county_taxes"=>nil, "plan_display_name"=>"Shopify Plus", 
"plan_name"=>"enterprise", "has_discounts"=>false, "has_gift_cards"=>true, "myshopify_domain"=>nil, "google_apps_domain"=>nil, 
"google_apps_login_enabled"=>nil, "money_in_emails_format"=>"${{amount}}", "money_with_currency_in_emails_format"=>"${{amount}} USD", 
"eligible_for_payments"=>true, "requires_extra_payments_agreement"=>false, "password_enabled"=>"[FILTERED]", "has_storefront"=>true, 
"finances"=>true, "primary_location_id"=>655441491, "checkout_api_supported"=>true, "multi_location_enabled"=>true, "setup_required"=>false, 
"pre_launch_enabled"=>false, "enabled_presentment_currencies"=>["USD"], "transactional_sms_disabled"=>false, 
"marketing_sms_consent_enabled_at_checkout"=>false}}
15:16:35 │ web-backend  │ Can't verify CSRF token authenticity.
15:16:35 │ web-backend  │ Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 585)
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:253:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:286:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:275:in `verify_authenticity_token'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:400:in `block in make_lambda'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:199:in `block (2 levels) in halting'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:200:in `block in halting'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `block in invoke_before'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `each'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `invoke_before'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:116:in `block in run_callbacks'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:138:in `run_callbacks'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/callbacks.rb:233:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/rescue.rb:23:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/instrumentation.rb:67:in `block in process_action'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications.rb:206:in `block in instrument'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications.rb:206:in `instrument'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/instrumentation.rb:66:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
15:16:35 │ web-backend  │ activerecord (7.0.8) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/base.rb:151:in `process'
15:16:35 │ web-backend  │ actionview (7.0.8) lib/action_view/rendering.rb:39:in `process'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal.rb:188:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal.rb:251:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:32:in `serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:50:in `block in serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:32:in `each'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:32:in `serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:852:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/tempfile_reaper.rb:15:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/etag.rb:27:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/conditional_get.rb:40:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/head.rb:12:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/http/content_security_policy.rb:36:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/session/abstract/id.rb:266:in `context'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/session/abstract/id.rb:260:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/cookies.rb:704:in `call'
15:16:35 │ web-backend  │ activerecord (7.0.8) lib/active_record/migration.rb:638:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:99:in `run_callbacks'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/executor.rb:14:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:132:in `call_app'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:28:in `block in call'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:17:in `catch'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:17:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:40:in `call_app'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:25:in `block in call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:99:in `block in tagged'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:37:in `tagged'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:99:in `tagged'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:25:in `call'
15:16:35 │ web-backend  │ sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/request_id.rb:26:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/method_override.rb:24:in `call'
15:16:35 │ web-backend  │ shopify_app (21.7.0) lib/shopify_app/middleware/jwt_middleware.rb:24:in `call_next'
15:16:35 │ web-backend  │ shopify_app (21.7.0) lib/shopify_app/middleware/jwt_middleware.rb:12:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/runtime.rb:22:in `call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:61:in `block in call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:26:in `collect_events'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:60:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/executor.rb:14:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/static.rb:23:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/sendfile.rb:110:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/host_authorization.rb:138:in `call'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/engine.rb:530:in `call'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/configuration.rb:252:in `call'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/request.rb:77:in `block in handle_request'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/request.rb:76:in `handle_request'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/server.rb:443:in `process_client'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
15:16:36 │ webhooks     │ APP_UNINSTALLED webhook delivery failed

 

 

The Error is 

 

 

15:16:35 │ web-backend  │ Can't verify CSRF token authenticity.
15:16:35 │ web-backend  │ Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 585)
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:253:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:286:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:275:in `verify_authenticity_token'

 

 

when i changed my ApplicationController

 

 

# web/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # it skips csrf token validation
  skip_forgery_protection
end

 

 

Application run fine and web hook delivered successfully
But this approach is not a standard way to deal with this issue
Does Anyone have any standard solution for it 
Thanks



 

Replies 2 (2)

SBD_
Shopify Staff
1829 271 414

Hey @Dumydev 

 

Thanks for flagging this - can you please file here: https://github.com/Shopify/shopify-app-template-ruby/issues

Scott | Developer Advocate @ Shopify 

Dumydev
Shopify Partner
5 0 1

Hi @SBD_  
Thanks For Reply 
I raise a Issue on github as well
https://github.com/Shopify/shopify-app-template-ruby/issues/115
Please Resolve this solution ASAP
Thanks & Regards