Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Shopify ruby template , APP_UNINSTALLED webhook delivery failed, Can't verify CSRF token.

Dumydev
Shopify Partner
5 0 0

I created a Shopify app by Shopify ruby template with this command

 

 

npm init @Shopify/app@latest -- --template=ruby

 

 

 I followed instruction of this Doc https://github.com/Shopify/shopify-app-template-ruby 
After setup when i run npm run dev to start server
i got these logs 

 

 

15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │ > shopify-frontend-template-react@1.0.0 dev
15:16:32 │ web-frontend │ > vite
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │   VITE v4.5.0  ready in 332 ms
15:16:32 │ web-frontend │ 
15:16:32 │ web-frontend │   ➜  Local:   http://localhost:40627/
15:16:32 │ webhooks     │ Sending APP_UNINSTALLED webhook to app server
15:16:33 │ web-backend  │ => Booting Puma
15:16:33 │ web-backend  │ => Rails 7.0.8 application starting in development 
15:16:33 │ web-backend  │ => Run `bin/rails server --help` for more startup options
15:16:33 │ web-backend  │ "Inside----------------------------------------- AppUniNstalled JOb"
15:16:33 │ web-backend  │ Puma starting in single mode...
15:16:33 │ web-backend  │ * Puma version: 5.6.7 (ruby 3.1.2-p20) ("Birdie's Version")
15:16:33 │ web-backend  │ *  Min threads: 5
15:16:33 │ web-backend  │ *  Max threads: 5
15:16:33 │ web-backend  │ *  Environment: development
15:16:33 │ web-backend  │ *          PID: 66023
15:16:33 │ web-backend  │ * Listening on http://127.0.0.1:41021
15:16:33 │ web-backend  │ * Listening on http://[::1]:41021
15:16:33 │ web-backend  │ Use Ctrl-C to stop
15:16:35 │ web-backend  │ Started POST "/api/webhooks" for 127.0.0.1 at 2023-12-01 15:16:35 +0530
15:16:35 │ web-backend  │   ActiveRecord::SchemaMigration Pluck (0.1ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY 
"schema_migrations"."version" ASC
15:16:35 │ web-backend  │ "Insiede Application Controller"
15:16:35 │ web-backend  │ Processing by HomeController#index as */*
15:16:35 │ web-backend  │   Parameters: {"id"=>548380009, "name"=>"Super Toys", "email"=>"super@supertoys.com", "domain"=>nil, 
"province"=>"Tennessee", "country"=>"US", "address1"=>"190 MacLaren Street", "zip"=>"37178", "city"=>"Houston", "source"=>nil, 
"phone"=>"3213213210", "latitude"=>nil, "longitude"=>nil, "primary_locale"=>"en", "address2"=>nil, "created_at"=>nil, "updated_at"=>nil, 
"country_code"=>"US", "country_name"=>"United States", "currency"=>"USD", "customer_email"=>"super@supertoys.com", "timezone"=>"(GMT-05:00) 
Eastern Time (US & Canada)", "iana_timezone"=>nil, "shop_owner"=>"John Smith", "money_format"=>"${{amount}}", 
"money_with_currency_format"=>"${{amount}} USD", "weight_unit"=>"kg", "province_code"=>"TN", "taxes_included"=>nil, 
"auto_configure_tax_inclusivity"=>nil, "tax_shipping"=>nil, "county_taxes"=>nil, "plan_display_name"=>"Shopify Plus", "plan_name"=>"enterprise",
 "has_discounts"=>false, "has_gift_cards"=>true, "myshopify_domain"=>nil, "google_apps_domain"=>nil, "google_apps_login_enabled"=>nil, 
"money_in_emails_format"=>"${{amount}}", "money_with_currency_in_emails_format"=>"${{amount}} USD", "eligible_for_payments"=>true, 
"requires_extra_payments_agreement"=>false, "password_enabled"=>"[FILTERED]", "has_storefront"=>true, "finances"=>true, 
"primary_location_id"=>655441491, "checkout_api_supported"=>true, "multi_location_enabled"=>true, "setup_required"=>false, 
"pre_launch_enabled"=>false, "enabled_presentment_currencies"=>["USD"], "transactional_sms_disabled"=>false, 
"marketing_sms_consent_enabled_at_checkout"=>false, "path"=>"api/webhooks", "home"=>{"id"=>548380009, "name"=>"Super Toys", 
"email"=>"super@supertoys.com", "domain"=>nil, "province"=>"Tennessee", "country"=>"US", "address1"=>"190 MacLaren Street", "zip"=>"37178", 
"city"=>"Houston", "source"=>nil, "phone"=>"3213213210", "latitude"=>nil, "longitude"=>nil, "primary_locale"=>"en", "address2"=>nil, 
"created_at"=>nil, "updated_at"=>nil, "country_code"=>"US", "country_name"=>"United States", "currency"=>"USD", 
"customer_email"=>"super@supertoys.com", "timezone"=>"(GMT-05:00) Eastern Time (US & Canada)", "iana_timezone"=>nil, "shop_owner"=>"John Smith",
 "money_format"=>"${{amount}}", "money_with_currency_format"=>"${{amount}} USD", "weight_unit"=>"kg", "province_code"=>"TN", 
"taxes_included"=>nil, "auto_configure_tax_inclusivity"=>nil, "tax_shipping"=>nil, "county_taxes"=>nil, "plan_display_name"=>"Shopify Plus", 
"plan_name"=>"enterprise", "has_discounts"=>false, "has_gift_cards"=>true, "myshopify_domain"=>nil, "google_apps_domain"=>nil, 
"google_apps_login_enabled"=>nil, "money_in_emails_format"=>"${{amount}}", "money_with_currency_in_emails_format"=>"${{amount}} USD", 
"eligible_for_payments"=>true, "requires_extra_payments_agreement"=>false, "password_enabled"=>"[FILTERED]", "has_storefront"=>true, 
"finances"=>true, "primary_location_id"=>655441491, "checkout_api_supported"=>true, "multi_location_enabled"=>true, "setup_required"=>false, 
"pre_launch_enabled"=>false, "enabled_presentment_currencies"=>["USD"], "transactional_sms_disabled"=>false, 
"marketing_sms_consent_enabled_at_checkout"=>false}}
15:16:35 │ web-backend  │ Can't verify CSRF token authenticity.
15:16:35 │ web-backend  │ Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 585)
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:253:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:286:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:275:in `verify_authenticity_token'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:400:in `block in make_lambda'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:199:in `block (2 levels) in halting'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:200:in `block in halting'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `block in invoke_before'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `each'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:595:in `invoke_before'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:116:in `block in run_callbacks'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:138:in `run_callbacks'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/callbacks.rb:233:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/rescue.rb:23:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/instrumentation.rb:67:in `block in process_action'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications.rb:206:in `block in instrument'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/notifications.rb:206:in `instrument'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/instrumentation.rb:66:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
15:16:35 │ web-backend  │ activerecord (7.0.8) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/abstract_controller/base.rb:151:in `process'
15:16:35 │ web-backend  │ actionview (7.0.8) lib/action_view/rendering.rb:39:in `process'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal.rb:188:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal.rb:251:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:32:in `serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:50:in `block in serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:32:in `each'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/journey/router.rb:32:in `serve'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/routing/route_set.rb:852:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/tempfile_reaper.rb:15:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/etag.rb:27:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/conditional_get.rb:40:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/head.rb:12:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/http/content_security_policy.rb:36:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/session/abstract/id.rb:266:in `context'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/session/abstract/id.rb:260:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/cookies.rb:704:in `call'
15:16:35 │ web-backend  │ activerecord (7.0.8) lib/active_record/migration.rb:638:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/callbacks.rb:99:in `run_callbacks'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/executor.rb:14:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:132:in `call_app'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:28:in `block in call'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:17:in `catch'
15:16:35 │ web-backend  │ web-console (4.2.1) lib/web_console/middleware.rb:17:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:40:in `call_app'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:25:in `block in call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:99:in `block in tagged'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:37:in `tagged'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/tagged_logging.rb:99:in `tagged'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/rack/logger.rb:25:in `call'
15:16:35 │ web-backend  │ sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/request_id.rb:26:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/method_override.rb:24:in `call'
15:16:35 │ web-backend  │ shopify_app (21.7.0) lib/shopify_app/middleware/jwt_middleware.rb:24:in `call_next'
15:16:35 │ web-backend  │ shopify_app (21.7.0) lib/shopify_app/middleware/jwt_middleware.rb:12:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/runtime.rb:22:in `call'
15:16:35 │ web-backend  │ activesupport (7.0.8) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:61:in `block in call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:26:in `collect_events'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/server_timing.rb:60:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/executor.rb:14:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/static.rb:23:in `call'
15:16:35 │ web-backend  │ rack (2.2.8) lib/rack/sendfile.rb:110:in `call'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_dispatch/middleware/host_authorization.rb:138:in `call'
15:16:35 │ web-backend  │ railties (7.0.8) lib/rails/engine.rb:530:in `call'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/configuration.rb:252:in `call'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/request.rb:77:in `block in handle_request'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/request.rb:76:in `handle_request'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/server.rb:443:in `process_client'
15:16:35 │ web-backend  │ puma (5.6.7) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
15:16:36 │ webhooks     │ APP_UNINSTALLED webhook delivery failed

 

 

The Error is 

 

 

15:16:35 │ web-backend  │ Can't verify CSRF token authenticity.
15:16:35 │ web-backend  │ Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 585)
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │ 
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
15:16:35 │ web-backend  │   
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:253:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:286:in `handle_unverified_request'
15:16:35 │ web-backend  │ actionpack (7.0.8) lib/action_controller/metal/request_forgery_protection.rb:275:in `verify_authenticity_token'

 

 

when i changed my ApplicationController

 

 

# web/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # it skips csrf token validation
  skip_forgery_protection
end

 

 

Application run fine and web hook delivered successfully
But this approach is not a standard way to deal with this issue
Does Anyone have any standard solution for it 
Thanks



 

Replies 2 (2)

SBD_
Shopify Staff
1779 263 383

Hey @Dumydev 

 

Thanks for flagging this - can you please file here: https://github.com/Shopify/shopify-app-template-ruby/issues

Scott | Developer Advocate @ Shopify 

Dumydev
Shopify Partner
5 0 0

Hi @SBD_  
Thanks For Reply 
I raise a Issue on github as well
https://github.com/Shopify/shopify-app-template-ruby/issues/115
Please Resolve this solution ASAP
Thanks & Regards