Hi,
After submitting our app to be reviewed, we received an email (titled: Important: [APP NAME] app review has been rejected) with the following reasons:
- App must set security headers to protect against clickjacking.
There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://accounts.shopify.com/lookup. Your app must request installation immediately after clicking “add app.” Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop. - App must verify the authenticity of the request from Shopify.
There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://accounts.shopify.com/lookup. Your app must request installation immediately after clicking “add app.” Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop.
The reason stated for those 2 points is the same claiming our app redirects to the following URL:
https://accounts.shopify.com/lookup
However, nowhere in our application, we are making a redirection to the above endpoint. Assuming from the app-security environment in the auth URL, Shopify is doing some automation tests here. Could this be an error on Shopify’s end?
It looks like someone else has had a similar issue but the thread remained unanswered. Hopefully, we can get some feedback here.