[App Rejection] Automatic tests not passing

During last days, our app is getting rejected by the automated test, see their message below.

The messages are bit confusing for two reasons. First the same explanation is given for both rejection requirements below. Also, the reason is mentioning a path for which we never redirect to as we never redirect to the root, we always redirect “auth” related paths as specified by the tuto here

For context,

1. We always check the HMAC as specified here and here
2. We set the security header for the iFrame like here
3. The installation test locally did not have any issue
4. We went through all previous posts in the forum but still were not able to fix it

Are we missing something? Can someone please help?

Thanks in advance

[Rejection message from Shopify]

Requirements that must be met before initial screening

1. App must set security headers to protect against clickjacking.
   Your app does not request installation on the shop immediately after clicking "add app". Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at [https://cambridgetestshop.myshopify.com/admin/oauth/request_grant](https://cambridgetestshop.myshopify.com/admin/oauth/request_grant) but was redirected to [https://cambridgetestshop.myshopify.com/admin/apps/7e43b55c76c07b51ccb5e0147b85daf0/?hmac=8df4b10cd53a62a09dcfab878c90011f9b93e83ca3a501715a02f8aa4c5fcb19&host=Y2FtYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=cambridgetestshop.myshopify.com&timestamp=1653006982](https://cambridgetestshop.myshopify.com/admin/apps/7e43b55c76c07b51ccb5e0147b85daf0/?hmac=8df4b10cd53a62a09dcfab878c90011f9b93e83ca3a501715a02f8aa4c5fcb19&host=Y2FtYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=cambridgetestshop.myshopify.com&timestamp=1653006982). [Learn more about authentication in our developer documentation](https://shopify.dev/apps/store/requirements#a-authentication)

1. App must verify the authenticity of the request from Shopify.
   Your app does not request installation on the shop immediately after clicking "add app". Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at [https://cambridgetestshop.myshopify.com/admin/oauth/request_grant](https://cambridgetestshop.myshopify.com/admin/oauth/request_grant) but was redirected to [https://cambridgetestshop.myshopify.com/admin/apps/7e43b55c76c07b51ccb5e0147b85daf0/?hmac=8df4b10cd53a62a09dcfab878c90011f9b93e83ca3a501715a02f8aa4c5fcb19&host=Y2FtYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=cambridgetestshop.myshopify.com&timestamp=1653006982](https://cambridgetestshop.myshopify.com/admin/apps/7e43b55c76c07b51ccb5e0147b85daf0/?hmac=8df4b10cd53a62a09dcfab878c90011f9b93e83ca3a501715a02f8aa4c5fcb19&host=Y2FtYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=cambridgetestshop.myshopify.com&timestamp=1653006982). [Learn more about authentication in our developer documentation](https://shopify.dev/apps/store/requirements#a-authentication)

Hi!

We had this issue with one of our apps too, after add app button was clicked we redirected from our application to our authentication server first which would then start the oauth process.

Shopify does not like this, so maybe you are redirecting somewhere as well, could also mean redirecting to another route in your application.

you will need to make sure you go directly to oauth from the route that is being called to start the install process.