Hi - has there been any movement on this? I have received a couple of complaints from users of my app. I’ve updated to koa-shopify-auth 3.1.58 and the issue is still happening.
Topic summary
Infinite “Enable cookies” redirect loop in Safari (macOS/iOS) when installing or opening embedded Shopify apps, linked to Intelligent Tracking Prevention (ITP) and third‑party cookie blocking. Reproduced with Shopify’s demo app; private browsing sometimes works, regular windows fail even after clearing cookies.
Shopify acknowledged the issue; related browser behaviors also noted in Firefox and Chrome (SameSite cookies). Early on, no workaround was available.
Fix released: @shopify/koa-shopify-auth v3.1.61 addressed Safari 13.1 loops; users confirmed. A recurring Safari prompt became expected “for now.” Some regressions/edge cases persisted: “Request origin could not be verified” on first attempt, continued reports on v3.1.65 and Safari 14; Chrome served as a temporary workaround.
Further remediation: Shopify identified a bug where the host parameter could be missing during auth for app links; part of the fix shipped, final pieces pending. One developer resolved a separate issue by avoiding path collisions between pages and API endpoints.
Long‑term direction: migrate to cookieless authentication using App Bridge session tokens; the OP reports permanent resolution, with official docs linked. Status: partially resolved via library updates and moving to session tokens; broader embedding/auth improvements were hinted (timeline questions raised), but not finalized within the thread.