CRITICAL: New "Invalid API key or access token" errors from unchanged code

[flux627]

I create Shopify apps using this module along with a customized version of django-shopify-auth. I have recently discovered that many of my apps (thankfully mostly development apps) which already have an installation work fine, but if I uninstall and re-install (yes, I'm handling session purges with the app/uninstalled webhook) I get authentication errors whenever I try to access any data via the API. Here's an example of the kind of exception I'm getting:

UnauthorizedAccess: Response(
    code = 401,
    body = "{"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"}",
    headers = {
        'x-request-id': '6b95887e-0f3d-417b-b8f4-fc0f6ed1ee03',
        'x-xss-protection': '1; mode=block; report=/xss-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin&source%5Buuid%5D=6b95887e-0f3d-417b-b8f4-fc0f6ed1ee03',
        'x-download-options': 'noopen',
        'x-content-type-options': 'nosniff',
        'content-security-policy': "default-src 'self' https://* shopify-pos://*; child-src 'self' https://* blob: data: shopify-pos://*; connect-src 'self' https://* wss://*; font-src 'self' https://* blob: data:; img-src 'self' https://* blob: data:; media-src 'self' https://* blob: data:; object-src 'self' https://* blob: data:; script-src https://cdn.shopify.com https://checkout.shopifycs.com https://js-agent.newrelic.com https://bam.nr-data.net https://dme0ih8comzn4.cloudfront.net https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://stats.g.doubleclick.net https://www.google-analytics.com https://visitors.shopify.com https://v.shopify.com https://widget.intercom.io https://js.intercomcdn.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://* 'unsafe-inline'; report-uri /csp-report?source%5Baction%5D=index&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fproducts&source%5Bsection%5D=admin&source%5Buuid%5D=6b95887e-0f3d-417b-b8f4-fc0f6ed1ee03",
        'transfer-encoding': 'chunked',
        'x-dc': 'ash',
        'connection': 'close',
        'server': 'nginx',
        'x-shopid': '8973152',
        'x-permitted-cross-domain-policies': 'none',
        'date': 'Sat, 25 Feb 2017 18:22:38 GMT',
        'x-shardid': '5',
        'x-frame-options': 'DENY',
        'content-type': 'application/json; charset=utf-8',
        'www-authenticate': 'Basic Realm="Shopify API Authentication"'
    },
    msg="Unauthorized"
)

I've compared the raw request endpoints and header data, and they seem to be correct. As I said before, this is happening from multiple projects, unchanged from a point in time where this problem was not occurring. All signs indicate that there is some backend problem with Shopify, however I wanted to post this here anyway in case this package isn't up to speed on some authentication change that recently occurred, or (as it seems) is being rolled out.

If anyone has any info on this, please share- none of my live apps are currently affected, and I want to keep it that way.

P.S. It's not a scope permissions issue, as I'm testing with shopify.Shop.current(), which works with any scope permissions you have set up.

[jamiemtdwyer]

Please only use this repository for issues related to the python client library.

General API issues should be directed to our developer forums or e-mail apps@shopify.com.

That being said, this is almost always caused by a stale access token (which is in turn due to app uninstallation or credential rotation).

Go through the OAuth handshake again, log the access token received, and ensure that you authenticating using the new access token. If the request still fails with a 4xx with a brand new access token, you should include this information in your support request.

Hope this helps.

[tiepmiyatsu]

@jamiemtdwyer:
Hi jamiemtdwyer, I got same error with @flux627. Even I just only used this shopify_python_api and your flask example
I tried debug and found that the access token is not kept when function main_app(in your code) is run.
When activate_sssion, I can set
shopify.ShopifyResource._threadlocal.headers to {'User-Agent': 'ShopifyPythonAPI/4.0.0 Python/3.6.7', 'X-Shopify-Access-Token': '1df7cd59fcdb6b19a0b3addddb3e5ed6'}.
But, when call shopify.Product.find(), the cls._threadlocal is reset to ShopifyResource._headers (contain only User-Agent field.

I am not sure where is mistake . Can you help me?

[mukeshmovaliya]

Need to required Content-Type=>application/json
{'Content-Type' =>'application/json','X-Shopify-Access-Token' => YOUR TOKEN}

[eternalparquet]

Same problem here:
I've created a controller for the session:

    def __init__(self):
        session = shopify.Session(SHOPIFY_API_SHOP_URL, SHOPIFY_API_VERSION, SHOPIFY_API_TOKEN)
        shopify.ShopifyResource.activate_session(session)
        self.shopify = shopify

    def start_session(self, shop_url, api_version, access_token):
        if not hasattr(ShopifyApi, 'session') or not self.session:
            session = shopify.Session(shop_url, api_version, access_token)
            shopify.ShopifyResource.activate_session(session)

    def close_session(self):
        if hasattr(ShopifyApi, 'session') and self.session:
            shopify.ShopifyResource.clear_session()

    def __del__(self):
        shopify.ShopifyResource.clear_session()

is __del__causing that problem?