Bug: Login into store "The access scope is missing" after Shopify login

[benmag]

I think I might have stumbled upon a bug but potentially it's just something I haven't correctly setup

When I try to login and I haven't already logged into Shopify, I'll see an "access scope is missing" error. If I'm already logged into Shopify then it works fine

Steps:

Go to my app directly (not via embedded) and enter my development store

Shopify asks me to login, login

It fails saying

Oops, something went wrong.

What happened?
Oauth error invalid_scope: The access scope is missing

The URL of this page is:

https://xxxxxxxx.myshopify.com/admin/oauth/authorize?amp%3Bredirect_uri=https%3A%2F%2F3531d356.ngrok.io%2Fauthenticate&amp%3Bscope=read_products%2Cwrite_products&client_id=27702e4e57453773d2a630e8cbc45xxx

The scope seems to be in the URL, so I'm not sure what could be going wrong or if it's just a mistake I've made somewhere

[demoskp]

I am not an expert by any stretch of the imagination but I think you forgot to add an api scope in your .env file. That's basically what you are asking shopify you want permission of for example you could have the following in your .env file:

SHOPIFY_API_SCOPES='read_products,write_product_listings'

This for examples tells shopify you want to read products as well as write product listings.

[benmag]

I've got my API scopes defined as the SHOPIFY_API_SCOPES and OAuth seems to correctly request those permissions IF I'm already logged into Shopify

The key "breaking" point is if you're not already logged into Shopify

[demoskp]

Have you run the migrations?

[benmag]

Yep

[gnikyt]

The scope in the URL but Shopify is still saying an error... maybe its a Shopify issue? I can't see why its throwing the error when its clearly in the URL.

[gnikyt]

@benmag Wait a second, thats the URL in the browser? Exactly as you posted it?

Decoded, it turns into: https://xxxxxxxx.myshopify.com/admin/oauth/authorize?amp;redirect_uri=https://3531d356.ngrok.io/authenticate&scope=read_products,write_products&client_id=27702e4e57453773d2a630e8cbc45xxx

amp; there in several spots, which is breaking it, I think maybe Laravel is double escaping.

[gnikyt]

I believe this is the issue... I'll change the blade template to not escape.

[ptcampbell]

I also have this problem. Despite the access params existing in the URL string. Can expand on this if you need me to. 🙌

[gnikyt]

I believe it's the escaping Laravel is doing in blade. I've implemented the change, the test passes, just need to do a physical test to confirm now it's ok.

…

On Tue., Aug. 14, 2018, 7:30 p.m. Patrick Campbell, < ***@***.***> wrote: I also have this problem. Despite the access params existing in the URL string. Can expand on this if you need me to. 🙌 — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACTuOlsRo0R4-ppksJWLpuomk7TYHIDyks5uQ0iSgaJpZM4V8tDZ> .

[paulcanning]

Any update on this?

[gnikyt]

I fixed the issue I believe I havent had time to physically test yet, not sure when I can push this out.

[paulcanning]

Could you point me in a direction on how to fix it myself?

[gnikyt]

I've simply changed {{ authUrl }} to {!! authUrl !!} Which passes fine in the tests and doesn't escape the url, I just haven't had a chance to do a physical test to confirm this fixes it 100%, hopefully tonigh!

…

On Wed., Aug. 15, 2018, 12:54 p.m. Paul Canning, ***@***.***> wrote: Could you point me in a direction on how to fix it myself? — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACTuOhawM9zTUE0sP2ClxM_bZr5RABtYks5uRD0vgaJpZM4V8tDZ> .

[gnikyt]

Sorry, the above is in the views/layouts/default.blade file. On Wed., Aug. 15, 2018, 1:17 p.m. Tyler King, <[email protected]> wrote:

…

I've simply changed {{ authUrl }} to {!! authUrl !!} Which passes fine in the tests and doesn't escape the url, I just haven't had a chance to do a physical test to confirm this fixes it 100%, hopefully tonigh! On Wed., Aug. 15, 2018, 12:54 p.m. Paul Canning, ***@***.***> wrote: > Could you point me in a direction on how to fix it myself? > > — > You are receiving this because you were assigned. > Reply to this email directly, view it on GitHub > <#68 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ACTuOhawM9zTUE0sP2ClxM_bZr5RABtYks5uRD0vgaJpZM4V8tDZ> > . >

[paulcanning]

Default.blade.php

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="csrf-token" content="{{ csrf_token() }}">

        <title>{{ config('shopify-app.app_name') }}</title>

        @yield('styles')
    </head>

    <body>
        <div class="app-wrapper">
            <div class="app-content">
                <main role="main">
                    @yield('content')
                </main>
            </div>
        </div>

        @if(config('shopify-app.esdk_enabled'))
            <script src="https://cdn.shopify.com/s/assets/external/app.js?{{ date('YmdH') }}"></script>
            <script type="text/javascript">
                ShopifyApp.init({
                    apiKey: '{{ config('shopify-app.api_key') }}',
                    shopOrigin: 'https://{{ ShopifyApp::shop()->shopify_domain }}',
                    debug: false,
                    forceRedirect: true
                });
            </script>

            @include('shopify-app::partials.flash_messages')
        @endif

        @yield('scripts')
    </body>
</html>

There is no {{ authUrl }}

[paulcanning]

Also, in my case, the auth URL is adding my site URL as http://my-app.com despite the URL being set to https in the .env file and being served over https

[gnikyt]

Sorry currently in meetings! Brain is a bit fired today. It's actually under auth/fullpage_redirect.blade !

…

On Wed., Aug. 15, 2018, 1:42 p.m. Paul Canning, ***@***.***> wrote: Default.blade.php <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="csrf-token" content="{{ csrf_token() }}"> <title>{{ config('shopify-app.app_name') }}</title> @yield('styles') </head> <body> <div class="app-wrapper"> <div class="app-content"> <main role="main"> @yield('content') </main> </div> </div> @if(config('shopify-app.esdk_enabled')) <script src="https://cdn.shopify.com/s/assets/external/app.js?{{ date('YmdH') }}"></script> <script type="text/javascript"> ShopifyApp.init({ apiKey: '{{ config('shopify-app.api_key') }}', shopOrigin: 'https://{{ ShopifyApp::shop()->shopify_domain }}', debug: false, forceRedirect: true }); </script> @include('shopify-app::partials.flash_messages') @endif @yield('scripts') </body> </html> There is no {{ authUrl }} — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACTuOhaGGlyivdjimMmjSF9KpW4788nEks5uREhogaJpZM4V8tDZ> .

[paulcanning]

Any idea why the URL would be putting in http and not https?

[gnikyt]

It internally uses url() method of Laravel to generate the link. Laravel does have a secure version of this method. I'll have to dig into a good way of swapping them depending on the environment. Maybe I'll just check the server environment vars.

…

On Wed., Aug. 15, 2018, 1:57 p.m. Paul Canning, ***@***.***> wrote: Any idea why the URL would be putting in http and not https? — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#68 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACTuOvyX9dmowM1RGqC-Kion4JDZrRdwks5uREvwgaJpZM4V8tDZ> .

[paulcanning]

Found one issue - ShopifyApp.php, line 93

return parse_url("http://{$domain}", PHP_URL_HOST);

Pretty sure that should be https.

I think you can use something like this, https://laravel.com/api/5.3/Illuminate/Routing/UrlGenerator.html#method_getScheme

[paulcanning]

Found another issue.

AuthControllerTrait.php, line 62, url() should be secure_url()

[gnikyt]

@paulcanning For the line 93, its actually not returned, its similar method to how the rails version works. It just does some cleaning to ensure we can get a myshopify domain without any paths, or protocols. The parse_url bit just puts the domain in with a protocol since I strip it originally, and grabs the host (which returns back just the myshopify domain), its tested against both http/https :)

Will await your feedback on #75 !

[gnikyt]

With @paulcanning 's merge, and the fix to the full page redirect to not escape, it seems to be working as normal, I can confirm the redirect through a view-source "watcher" in Chrome, is now no longer encoding. Its in v3.0.2.

If unresolved, please feel free to re-open.