Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offline access token not refreshed if app uninstalled then reinstalled #1678

Closed
nickpith opened this issue Apr 3, 2023 · 3 comments
Closed

Offline access token not refreshed if app uninstalled then reinstalled #1678

nickpith opened this issue Apr 3, 2023 · 3 comments
Labels
stale

Comments

@nickpith
Copy link
Contributor

nickpith commented Apr 3, 2023

Issue summary

When an app has not setup webhooks to listen for the app/uninstalled event and is using online access tokens (i.e. user sessions), reinstalling the app on a shop the previously installed the app will no longer update the offline access token for the shop. The appears to be due to the fact that the SessionsController#start_oauth is requesting an online access token because the LoginProtection#user_session_expected? is not checking if the session is still valid. It is only checking if the access scopes have changed.

The JS package handles this by checking if the offline token stored in the session is still valid and if not will redirect to OAuth for a new offline token. It does look like prior to this commit a similar behavior was done to prevent this problem.

We have temporarily worked around this limitation by listening for a 401 response when attempting to use the offline token. If we get a 401 using shopify_api to make those calls, we will redirect to OAuth and obtain a new offline token.

  • shopify_api version: 12.4.0
  • shopify_app version: 21.4.1
  • Ruby version: 3.2.1
  • Operating system: Mac / Linux
// Paste any relevant logs here

Expected behavior

Whenever the app is reinstalled the OAuth process will always request a new offline access token. This way the access token for the shop is updated as part of the CallbackController.

Actual behavior

Whenever the app is reinstalled without any access scope changes, the OAuth process will request an online access token instead of an offline access token.

Steps to reproduce the problem

  1. Setup an app without any webhooks that can delete shop sessions when the app/uninstalled event occurs
  2. Install the app on a shop and note the access token stored for the shop session
  3. Uninstall the app
  4. Reinstall the app.
  5. The shop session will not update the access token
@github-actions
Copy link

github-actions bot commented Jun 3, 2023

This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days.

@github-actions github-actions bot added the stale label Jun 3, 2023
@github-actions
Copy link

We are closing this issue because it has been inactive for a few months.
This probably means that it is not reproducible or it has been fixed in a newer version.
If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 18, 2023
@zernie
Copy link

zernie commented Dec 9, 2024

we're having the same issue

#1886 seems relevant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickpith @zernie