shopify.auth.callback fails in Shopify's app automated verification because cookies are not preserved #2824
Description
Issue summary
Before opening this issue, I have:
- Upgraded to the latest version of the relevant packages
@shopify/shopify-apipackage and version: 12.0.0- Node version: v20.14.0
- Operating system: macOS
- Set
{ logger: { level: LogSeverity.Debug } }in my configuration - Found a reliable way to reproduce the problem that indicates it's a problem with the package
- Looked for similar issues in this repository
- Checked that this isn't an issue with a Shopify API
Expected behavior
The call to shopify.auth.callback should be able to rely on the state parameter from the URL when the shopify_app_state cookie is missing (e.g., in Shopify’s automated verification environment, which does not handle cookies).
This would allow the OAuth flow to work both in production and in the automated verification environment.
Actual behavior
- In production/local development with a real browser, everything works correctly because the cookie is preserved.
- In Shopify’s automated verification environment, the cookie is not preserved between
/api/auth/shopifyand/api/auth/shopify/callback.
Result:
- The
shopify_app_statecookie is set on/api/auth/shopify. - At the callback, the cookie is missing (
Parsed cookies: {}). - The
shopify.auth.callbackmethod throws aCookieNotFounderror.
Steps to reproduce the problem
Submit an shopify application for production :
Debug logs
Cannot complete OAuth process. Could not find an OAuth cookie for shop url: xbbf0y-vp.myshopify.com