FROM CACHE - en_header

Remove page before application uninstalled

Nariman_Abliev
Tourist
6 0 1

Hi,

My app needs to remove custom page when user uninstalls application. I've created subscription for "app/uninstalled" event.

But when during processing that webhook my code tries to remove my app's page it gets "Unauthorized" response, though it didn't yet response with 200(OK) to server in response for webhook.

Is it possible to remove page when user uninstalls application?

Thanks, Nariman

 

Replies 12 (12)
Nariman_Abliev
Tourist
6 0 1
Nariman_Abliev
Tourist
6 0 1

Can anyone help me. Need an answer. Is it possible to remove custom page when user decides to uninstall application?

Now when webhook "app/uninstalled" is being triggered and app tries to send page delete message it receives "Unauthorized" response.

At which stage exactly application access token gets removed on server? Just after user confirms he(she) wants to uninstall app?

Jason
Shopify Expert
10915 191 2187

At which stage exactly application access token gets removed on server? Just after user confirms he(she) wants to uninstall app?

I would have expected the token to be purged immediately after confirming which is why you're getting the error. Your app no longer has access. Webhooks do not fire in real time either so you should expect some delay before the webook is sent.

Even if you could delete a page, that sounds like a bad idea. Imagine how annoyed a store owner would be if you deleted a page that they added custom content to.

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★
Gavinator
Shopify Partner
1300 10 112
Consider this hook event as simply the chance to do housekeeping on your side. Shopify recommends you integrate via the scrip tag functionality. That way when your app is uninstalled it will no longer be called and you are done. Unfortunately the way this works it your script loads *after* all the pinterests and facebooks from the theme so going that way will result in lots of your users complaining about how slow your app is no matter how fast it actually is. What we do is create a snippet that then gets included into the product or cart page. To "uninstall" means the store owner additionally has to remove that line or empty the snippet.
www.bookthatapp.com
Nariman_Abliev
Tourist
6 0 1

Hi guys,

Thank you for explanation. I didn't think about possibility for user to add custom content to my custom page. That sounds quite reasonable.

 

 

 

darrynten
Shopify Partner
21 1 9

This is still a problem, 6 years later.

@darrynten
peter90
New Member
5 0 0

yes this is still a problem

 

BStubbs
Shopify Partner
136 16 60

This isn't really a 'problem', more a feature of Shopify. Once you uninstall the app, the app can no longer interact with your shop. Thats the beauty of a platform like Shopify.

The best solution I have found:

1. Create the page with the api, but populate the page with a ScriptTag.

2. The ScriptTag will be removed when the app is uninstalled automatically, so any app features you added will be removed.

Just a suggestion.

Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!
darrynten
Shopify Partner
21 1 9

ScriptTag loads waaaay too late for a lot of use cases.

A possible fix would be to add a small delay/timeout to the token revocation when an app has the edit theme permission.

@darrynten
BStubbs
Shopify Partner
136 16 60

I think you misunderstand why they revoke the token. From a security standpoint, your fix is opens up the platform to risks for the merchant. Remember the token itself is not access specific, that is to say you do not have different tokens for difference access scopes, so you would also need to amend the access scopes provided to the app.

At the end of the day, Shopify exists for merchants - not partners, so I think there is a reason why this 'problem' still hasn't been taken up. 

Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!
darrynten
Shopify Partner
21 1 9

Howdy, and a happy new year to you 🙂

If you think about it a bit more the security argument isn't valid. There's no real change in risk between the time the application installed, and a 30 second (or similar) window following uninstallation.

You're correct that there isn't a token per access scope - which would be silly - but the existing token already knows which scopes are linked, and the existing middleware already checks if the token is (a) not expired, and (b) contains the required scope(s) needed for the requested endpoint.

Yes, there are multiple scopes, and, if implemented poorly, extending the timeout could allow malicious actors to do bad things like deleting products or changing prices when the app is uninstalled. It's possible to mitigate this risk almost entirely by placing some straightforward checks in place on 3 specific endpoints and not allowing access to any other scopes or endpoints during this window.

The token, the expiration time, the scopes, the requested resource, the webhook status, and the endpoints needed for theme editing are already all known variables in the system.

All it takes is to extend the existing api middleware and/or theme controller to take the specific endpoint and scope combination into consideration, and check if:

- the token is valid or has expired within the last x seconds; and
- the app had the edit theme scope; and
- the webhook hasn't been processed yet

This should only occur on the following 3 endpoints:

- GET /admin/themes/current.json
- GET /admin/themes/xyz/assets.json
- PUT /admin/themes/xyz/assets.json

This means the only action a malicious actor could do is modify the theme at uninstall time. This is a non-issue, because they can already add code wherever they want, so there's little incentive for them to add malicious code at uninstall time because this could draw direct attention to the malicious behaviour. 

When the endpoints and scopes are severely limited the risk is negligible. In fact, merchants would only benefit from this change.

Right now Shopify are doing all merchants and partners a disservice, because for every app that adjusts themes that a merchant installs and uninstalls, their store slows down, and the console starts throwing errors for resources that are no longer found or invalid. I've seen stores that take up to 30 seconds to load, purely because of this exact problem.

This severely impacts page speed, and negatively affects SEO rankings, bounce rates, cart abandonment, and ad performance (i.e. more spend needed per converted customer).

Right now, the way this is set up, merchants are suffering way more from theme bloat issues and SEO impact than they would from this so-called 'security risk'.

The more word gets around that Shopify themselves are the real reason for theme bloat (and the inevitable poor SEO and speed scores) the more their reputation is tarnished, because the standard response to "Shopify do not let developers remove apps from your theme when you uninstall the app" is "Well, that's stupid."

Fix the root cause of the problem and both merchants and partners will benefit tremendously.

This will make for a faster, more robust Shopify experience, which can only result in better retention rates, fewer abandoned carts, increased customer conversions for everyone, lower bounce rates, fewer 1-star reviews on the app store (i.e. a higher quality app store), fewer support queries (for both Shopify and partners), and, of course, higher stock prices and happier shareholders.

@darrynten
BStubbs
Shopify Partner
136 16 60

Happy new year, @darrynten ! Let's hope it's a good one this time...

I think of the security issues as if I was running a real store. You hire a bad employee (app) and you fire that employee, do you then ask them to close up that night by themselves? Probably not. You take their keys away and do it yourself.

But you make some great points. Don't forget the GraphQL endpoint, but it will have to check every request. You also need to address the race condition with the token expiry.

I'm not sure I 100% agree that its all Shopify's fault here. Finger pointing is a bit tricky in this sort of situation. I don't think Shopify shareholders care too much if there are a lot of support requests for Partners, because they don't need to service them. You may find they put the onus back on Partners, like a requirement for apps to have a comprehensive uninstall document for merchants prior to being approved in the App Store. Which probably isn't a bad idea if you want to have a higher quality app store, (good documentation goes a long way to fixing support tickets early). 

Maybe there is some sort of middle ground, but not sure an extension of the token is the silver bullet to store speeds.

Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!