Invalid API key or access token (unrecognized login or wrong password)

[Uysim]

Issue summary

After omniauth success and ShopifyApp::WebhooksManagerJob execute then I got error response

 {"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)", "error_reference":"If you report this error, please include this id: a050f299-40bb-4604-8c82-69c78c9645ed."}

• shopify_api version: 13.1.0
• shopify_app version: 21.6.0
• Ruby version: 3.0.4
• Operating system: MacOS for local development, Amazon Linux for production

Expected behavior

Install webhook without any error

Actual behavior

Raise error from ShopifyApp::WebhooksManagerJob

Steps to reproduce the problem

1. Install app with Test your app
2. Omniauth successfully
3. The error raised

[jagthedrummer]

I've also seen this start to pop up lately.

[nelsonwittwer]

I haven't been able to reproduce this issue with the latest version of this gem and the API. Do you have any other pointers to recreate this?

[jagthedrummer]

My only suspicion is that someone is installing and then immediately uninstalling before the ShopifyApp::WebhooksManagerJob runs. And I suspect the job doesn't handle that possibility, which means it raises an error, and then Sidekiq retries the job a bunch of times.

[nelsonwittwer]

I believe this is happening when 1) apps use user sessions and 2) the user sessions are expiring before the webhook jobs run. As @jagthedrummer pointed out, these jobs are getting retried and making the problem seem much worse.

The unfortunate part of this implementation is we queue these jobs for every oauth user login event. Depending on the size of your user base, this could be a super aggressive/expensive flow. Ideally this would be done on a cron basis to see if desired webhook subscriptions changed.

Now that I have a better feel for the cause of this issue I need to figure out how to handle these errors gracefully and prevent re-queueing jobs we know will fail due to outdated tokens. Longer term, we should refactor this flow to be less aggressive when ensuring webhook topics are subscribed to as declared in the config

[Uysim]

@nelsonwittwer To me it seem the problem happen when I try to config both shop_session_repository. and user_session_repository since I need shop token for webhook installation and user info for user login. I still in stage of more debugging.
Also I try to create multiple app. It happen only in specific shopify app which keep in the blind on what's going on.

[silvolu]

@Uysim is this still an issue, and could you find more information with the additional debugging?

[BaggioGiacomo]

I also get this error when I uninstall the app while the dev server isn't running because the shop record on the db will not be deleted since you don't receive the app/uninstall webhook.

To easily fix this, uninstall the app, delete the record on the db (if present) and then reinstall the app

[paulomarg]

I think @BaggioGiacomo's issue is slightly different, but I made a change that should allow us to re-authenticate properly for embedded apps when the token expires: #1787

For the original issue here, we can make sure that we're always using offline tokens to register webhooks - since they don't expire, we shouldn't run into 401s in the queue, which should help mitigate the problem. I'll work on a PR for that.