shopifyAuth throws 500 error if more than 1 minute between GET / and GET /auth/callback

[louiscollarsmith]

Issue summary

When a user is on the "You are about to install #APP_NAME" page and they wait for more than 1 minute to click "Install app" a 500 error is thrown.

Url
GET /auth/callback?code=4e9c4cb180763a21ab0fbf243c17f5ba&hmac=751bbcaa7f5a4013575d617af11f23eb1e570c8c1f82d36a12405895404bda38&host=cXVpdmVyLWltbWVkaWF0ZS1kZWxpdmVyaWVzLm15c2hvcGlmeS5jb20vYWRtaW4&shop=quiver-immediate-deliveries.myshopify.com&state=284790218494132&timestamp=1623885746

Error

InternalServerError: Cannot complete OAuth process. Could not find an OAuth cookie for shop url: quiver-immediate-deliveries.myshopify.com
      at Object.throw (/app/node_modules/koa/lib/context.js:97:11)
      at /app/node_modules/@shopify/koa-shopify-auth/dist/src/auth/index.js:100:42
      at step (/app/node_modules/tslib/tslib.js:141:27)
      at Object.throw (/app/node_modules/tslib/tslib.js:122:57)
      at rejected (/app/node_modules/tslib/tslib.js:113:69)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)

This bug is difficult to recreate as installing the app on a test store, you typically don't go through the App store. This means the "You are about to install #APP_NAME" is skipped as it "Install app" is auto-clicked/auto-selected.

To understand this error better, I added CustomSessionStorage class with the relevant functions. The loadCallback function is never called if the time between auth is longer than 1 minute even though there is a session in the storage.

This issue occurs when using the Shopify.Session.MemorySessionStorage and Shopify.Session.CustomSessionStorage.

My relevant dependencies are:

"@shopify/app-bridge": "^2.0.3",
"@shopify/app-bridge-react": "^2.0.3",
"@shopify/app-bridge-utils": "^2.0.3",
"@shopify/koa-shopify-auth": "^4.1.3",
"koa": "^2.13.1",
"koa-bodyparser": "^4.3.0",
"koa-ignore": "^1.0.1",
"koa-logger": "^3.2.1",
"koa-router": "^8.0.8",
"shopify-api-node": "^3.6.12",

Expected behavior

Users should be able to sit for more 1 minute idle between auth and auth callback
OR
I should be able to handle this error and restart the auth process rather than just throwing 500 error.

Steps to reproduce the problem

I have been recreating the issue via shopify.

1. Open a store
2. Click on apps
3. Click on shop for apps
4. Search for quiver app or any app that uses the new oauth flow
5. Click add app
6. Wait for more than 1 minute before clicking install app

[louiscollarsmith]

Anyone interest in this?

[louiscollarsmith]

Any update on this?

[paulomarg]

Hey @louiscollarsmith, this is actually working as intended - we use that limit so that we don't have 'hanging' sessions that could be abused. There was a longer discussion on this topic, but essentially the cookie that's used for the OAuth session will expire after that 1m period.

[louiscollarsmith]

@paulomarg Ok makes sense. So how do i handle this. Currently my server just throws a 500.

[paulomarg]

Sorry, forgot to mention that - if you get this error you could just retry the OAuth process (i.e. redirect the user to /auth?shop=...) - if they approved the app they won't see the request for permissions again, so they should go straight back to the app.

[louiscollarsmith]

how programatically should i catch the error thrown by afterAuth?

[paulomarg]

I've applied the workaround proposed in the other issue to the source, but if you don't want to wait for a new release you could follow the instructions there!

[louiscollarsmith]

Great thank you!

[paulomarg]

Version 4.1.4 is out which should fix this issue!