shopify-api-js icon indicating copy to clipboard operation
shopify-api-js copied to clipboard

Published 20 hours ago verified publisher icon Shopify

Getting 431 "This page isn't working" from AuthRoute URL

Open eitel4 opened this issue 3 years ago • 3 comments

Issue summary

After starting authentication attempts multiple times for my non-embedded app, without logging in to shopify, the page at the auth Route URL (before the shopify login page appears) shows a 431 "This page isn't working". Im simply using the default Shopify.Auth.beginAuth method to generate the authRoute for redirecting the user. There is nothing special in my code and i exactly followed the OAuth guide provided: https://github.com/Shopify/shopify-node-api/blob/HEAD/docs/usage/oauth.md I was able to reproduce this issue with other apps as well. Please check the ## Steps to reproduce the problem section to exactly reproduce the problem.

I found the following related shopify discussions already, without any solution: https://community.shopify.com/c/shopify-discussions/can-t-load-backend-http-error-431/td-p/1164705/page/2 https://community.shopify.com/c/shopify-discussions/http-error-431/td-p/1284573/page/2 https://community.shopify.com/c/shopify-discussions/cant-login-to-store-at-all/td-p/1209420

My current suspect is the "identity-state" cookie, which can be found at the authRoute URL ("https://XXX.myshopify.com/auth..."), which is created every time a new authentication attempt is started. Im seeing like 6-8 different "identity-state"s, when it starts failing. The "identity-cookie" also getting bigger and bigger, which possibly justifies the 431 : "Request Header Fields Too Large": https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/431

Expected behavior

The 431 should not appear, after starting authentication attempts multiple times, as this isn't a good customer experience.

Actual behavior

The 431 appears and the user stucks at this page until he manually removes all cookies.

Steps to reproduce the problem

  1. Logout out from all Shopify stores and make sure all cookies are cleared (Shopify Login page + App Page URL).
  2. Trigger the app authentication, using the Shopify.Auth.beginAuth method, multiple times (around 10 times) and do not login to shopify.
  3. At the last attempt, fully login to shopify, so the OAuth authentication for your app completes.
  4. Now logout from shopify (at https://accounts.shopify.com/store-login). Do not clear your cookies!
  5. Repeat step 2 multiple times until the 431 happens.

eitel4 avatar Nov 22 '21 13:11 eitel4

Hey @eitel4, thanks for the very detailed report! It sounds like the problem might actually be in the process of logging in to the shop, which isn't really affected by OAuth (other than triggering it), so we can't do much about it from the app side.

I'm going to forward your report to the appropriate team, but before I do that I just wanted to get some extra info to help them pin it down:

  • On step 2, how exactly were you avoiding logging in? Were you just "ignoring" the login request and going straight back to your-app.com/login?
  • Given that you've narrowed it down to the cookie size, I'm assuming that clearing your cookies, re-starting OAuth and going through with the login makes it work as expected, is that correct?

paulomarg avatar Nov 25 '21 16:11 paulomarg

Hey @paulomarg, thanks for reaching back!

  • Yes, I always stop at the shopify login page (where i could login normally) and start the authentication process from the app side again with a fresh "state" parameter, generated by the Shopify.Auth.beginAuth method, which is stored in our app database.
  • Yes this is correct.

eitel4 avatar Nov 25 '21 16:11 eitel4

This used to happen to me when trying to login to Shopify when on a VPN. After several times of logging in, I would get this error when logging in to Shopify. I discovered it was because of the same reason, so I would just clear the site cookies and it would work. But it does seem like a bug on Shopify's end.

TheSecurityDev avatar Nov 29 '21 17:11 TheSecurityDev

This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.

github-actions[bot] avatar Oct 06 '22 02:10 github-actions[bot]

We are closing this issue because it has been inactive for a few months. This probably means that it is not reproducible or it has been fixed in a newer version. If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!

github-actions[bot] avatar Oct 20 '22 02:10 github-actions[bot]