My app submission was rejected without much explanation.
This is the message that I get for the rejection from the automated test.
Your primary app listing has 3 issues to fix before you can submit your app for review
-
App must set security headers to protect against clickjacking.
There was an error installing your app. The app must be installed to perform the security check. Failed to install app. -
App must verify the authenticity of the request from Shopify.
There was an error installing your app. The app must be installed to perform the security check. Failed to install app. -
App must be served over HTTPS.
There was an error connecting to your app. Make sure its App URL and Allowed redirection URL work correctly.
App must set security headers to protect against clickjacking
I have already added CSP with frame-ancestors ‘none’ to make sure the app was not accessible through iframes.
We didn’t even enable the App Embed for our Shopify App.
App must verify the authenticity of the request from Shopify
We have implemented all the App endpoint to check authenticity of the request from Shopify by authorizing HMAC from shopify.
const authorizeHmac = function(req, res, next) {
const { shop, hmac, code, state } = req.query;
if (shop && hmac && code) {
const map = Object.assign({}, req.query);
delete map['signature'];
delete map['hmac'];
const message = querystring.stringify(map);
const providedHmac = Buffer.from(hmac, 'utf-8');
const generatedHash = Buffer.from(
crypto
.createHmac('sha256', apiSecret)
.update(message)
.digest('hex'),
'utf-8'
);
let hashEquals = false;
try {
hashEquals = crypto.timingSafeEqual(generatedHash, providedHmac)
} catch (e) {
hashEquals = false;
};
if (!hashEquals) {
return res.status(401);
} else {
next();
}
} else {
res.status(400).send('Required parameters missing');
}
};
App must be served over HTTPS
All my app endpoints are properly secured with SSL
Can anyone help me with this? Is there anyone I can reach out to resolve this issue?