KeyError at /shopify/finalize/ 'shopify_oauth_state_param'

[gfloure]

Hi there,

Thanks for your python shopify app integration.

All the apps i developed no longer work in the Shopify administration iframe, which is really annoying. I tried for several hours to resolve the problem, without success.

Do you have any idea what the problem is and how to fix it?

thank you so much

[tanema]

If you are embedding the app in an iframe, make sure that you are accessing your app over https, and that your cookies have the option SameSite=none

[gfloure]

Hello @tanema ,
I load the iframe in https and I have the samesite cookies = None
The app worked for months, and overnight it stopped working

[tanema]

Do you have a stacktrace of your error?

[gfloure]

Hi, this is the traceback. Thanks for your help

Environment:

Request Method: GET
Request URL: https://xxx.com/shopify/finalize/?code=94268103a5b3ed480111066672c2c69f&hmac=272bb2a2874c59e67c8cc05ca02e352163c396d088f3c7138c1c237e8096b4d4&shop=xxx-.myshopify.com&state=e19df5ce44650cd52c9657b908924f&timestamp=1601031487

Django Version: 3.0.2
Python Version: 3.8.5
Installed Applications:
['django.contrib.admin.apps.SimpleAdminConfig',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'shopify_app.apps.ShopifyAppConfig',
'home.apps.HomeConfig']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'shopify_app.middleware.LoginProtection']

Traceback (most recent call last):
File "/app/.heroku/python/lib/python3.8/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/app/.heroku/python/lib/python3.8/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/app/.heroku/python/lib/python3.8/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/app/shopify_app/views.py", line 43, in finalize
if request.session['shopify_oauth_state_param'] != params['state']:
File "/app/.heroku/python/lib/python3.8/site-packages/django/contrib/sessions/backends/base.py", line 64, in getitem
return self._session[key]

Exception Type: KeyError at /shopify/finalize/
Exception Value: 'shopify_oauth_state_param'``

`

Variable	Value
code	'94268103a5b3ed480111066672c2c69f'
hmac	'272bb2a2874c59e67c8cc05ca02e352163c396d088f3c7138c1c237e8096b4d4'
shop	'xxxx.myshopify.com'
state	'e19df5ce44650cd52c9657b908924f'
timestamp	'1601031487'
`

`
POST
No POST data

FILES
No FILES data

COOKIES
`

[sillycube]

'shopify_oauth_state_param' is not in request.session. I'm also having a similar issue. Now I'm trying to find a solution. The solutions I can think of:

1. don't use request.session at all (which is quite hard for server-side app)
2. use session without cookie (not sure if it's possible yet)
3. ask users to enable 3rd party cookies

The reason is that 3rd party cookie is disabled. If the user is using the Chrome incognito tab or the browser does not enable 3rd party cookie, Django session id cannot be passed. The value of 'shopify_oauth_state_param' cannot be stored in session.

By default, Django uses cookies to store session id. If you ever use session, a cookie will be created by Django

[deejax]

Hi @sillycube ,

Did you manage to find a final solution for this ?
My app is standalone hosted on heroku and all of a sudden I am facing this on the instance which is supposed to become my future production :). Things work fine on my test instance (which is also on heorku) and also local dev. I cant really wrap my head around why I am getting this issue suddenly and only on 1 server while the exact code works fine on other server and my local machine. It was working fine even in the production instance till 2 days back :(.
Do you have any thoughts or ideas why this might be ? I will be truly grateful for your expert inputs and tips.

[sillycube]

@deejax

I am done with this 3rd party cookie thing, session token auth, Shopify app bridge. Just spend too much time studying and implement all of them. When I played with session token auth, Shopify just gave me a diagram and the new django repo didn't even exist. It took me weeks and the app wasn't stable

Finally, I just go with a standalone app. From your description, look like the prod env is slightly different from your dev / staging. Some reasons I can think of:

1. the browser is updated. This 3rd party policy is updated frequently
2. the web server setting is slightly different on this machine.
3. The cookie policy on your browser may be different
4. Incognito mode has a different cookie policy
5. SSL
6. DNS setting (e.g cloudflare)

You probably need to trace the code to see where it drops

Btw, this new sample django app repo supports the latest session token auth. I tried once and it worked.

[deejax]

Hey @sillycube ,

Thanks for the taking the time to share your thoughts and inputs. I finally managed to figure it out, the actually issue was with the SMTP authentication of my transaction email 🤦