d
Topic
Ryan O Shopify Employee
Posts:
233
Last edited 6 months ago

[ACTION REQUIRED] Apps require Shopify approval to read orders older than 60 days This post is outdated

Shopify is introducing an important change to our Orders API, to help preserve the trust that merchants have when using third-party apps.

As of today (June 6th, 2018), public apps will no longer be able to access a merchant’s orders older than 60 days with the current read_orders or write_orders access scopes.

Going forward, apps that require access to all of a merchant’s orders will first need to be approved by Shopify. Once Shopify approves the request, apps can begin requesting the new read_all_orders scope during OAuth.

Key changes

How to request access to read_all_orders

  1. Partners can request approval to read orders older than 60 days via the partners dashboard.

  2. Once approved by a Shopify admin, and you have been notified that your app was granted access, you must then request the new read_all_orders access scope during OAuth. Note that you must use the new read_all_orders scope in conjunction with one of read_orders or write_orders scope.

These changes to the Order API will help assure merchants that their data is safe with your app and with Shopify. By being mindful of what data apps need to access, and making sure merchants are fully aware of what scopes are being granted to their apps, we’ll build a strong and trusting app ecosystem.

To learn more about the read all orders change, check out our blog post here.

If you have any questions or concerns, don’t hesitate to reach out to read-all-orders-request@shopify.com or comment in the thread below.

 

Edit: 10:15am EDT

A large majority of pre-approved apps viewing orders older than 60 days have been migrated to have the new permission automatically. If your app is one of them you will receive an email from the Shopify Apps Team today.

Edit: 10:40am EDT

Private apps are not affected by this change and automatically will have the scope.

The majoriy of apps that were previously accessing orders older than 60 days have been grandfathered into the new permission.  You will still need to add the new scope to your OAuth flow.  There will be an email sending out shortly to your registered e-mail if your app is included in this list.  You can also check this in the App Setup section of the Partners Dashboard, you'll either see a section to request all orders access or a a status message that says "Your app can access the full order history for a store."

Edit: 1:40pm EDT

Hey All, just want to clear up some confusion as we're seeing the same question a few times.

A) Private apps

  • No action required, have been granted the ability to view orders older than 60 days by default

B) Public App that has been approved to view orders older than 60 days (grandfathered)

  • No need to request the ability to see orders older than 60 days from Shopify
  • Have to add `read_all_orders` to their OAuth request in conjunction with either `read_orders` or `write_orders` before July 9th, 2018
  • After July 9th, 2018, will not be able to see orders older than 60 days on a per shop basis unless they have been approved by the merchant with `read_all_orders`

C) Public App that has not been approved

  • Can not add `read_all_orders` to their OAuth request without prior Shopify approval
  • Can not view orders older than 60 days as of today June 6th, 2018
  • If approved now has the same requirements as B)
i
Replies
Kasimir Shopify Partner
Posts:
396
Last edited 6 months ago
g
1
upvotes

How will this prevent Apps from storing their own databases of orders if trust is a key feature in this change?

What would be better is ask the merchant if they want to grant it or not rather than making us go the “big brother” route.

Also well done in keeping us in the loop to make changes or get approved.

"Good design is good business"
Posts:
10
6 months ago
g
1
upvotes

Ryan,

This change breaks my app without any notice.  I will be reaching out to your email as well but a breaking change like this deserves at least a few weeks notice.  Otherwise, how are we expected to make this a smooth transition for Shopify merchants?

Could you undo this change and give some notice? 

Thanks,

Tom

Best Seller Insights: https://apps.shopify.com/best-sellers
Ryan O Shopify Employee
Posts:
233
6 months ago

What would be better is ask the merchant if they want to grant it or not rather than making us go the “big brother” route.

This is what the requirement to re OAuth with the new permission is; asking the merchant if they want to grant the app the ability to see older orders.

Posts:
1
6 months ago
g
1
upvotes

This breaks our apps without notice (as Tom points out). How come you couldn't give us at least enough notice to submit our requests for the data? I just filled out the request and it states it could take 7 days to process.

 

thanks

Justin

Posts:
2
6 months ago
g
1
upvotes

Hey Ryan,

 

If we have existing authed stores with read_orders scope and have the read_all_orders scope approved on our App do we have to get existing stores to re-authenticate their store with our app to get > 60 day access?

 

Cheers,


Martin

Posts:
226
6 months ago
g
1
upvotes

For anyone else freaking out about this, and wondering how to check/request access for the full order history, it seems you can do it in your Partner Dashboard by doing the following:

1. Go to Apps
2. Click on your app name
3. Click on "App setup" in the top menu
4. Look for the new "Orders" section (see screenshot)

On my apps, I can see they came pre-approved to access the full order history. However, I'm still unsure if I need to add the new scope to my apps, but will do it just in case!?

Regards,
Bjorn

App setup   orderlyprint   order processing supercharged   shopify partners thumb
Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Ryan O Shopify Employee
Posts:
233
6 months ago
g
2
upvotes

This change breaks my app without any notice.  I will be reaching out to your email as well but a breaking change like this deserves at least a few weeks notice.  Otherwise, how are we expected to make this a smooth transition for Shopify merchants?

Could you undo this change and give some notice? 

This breaks our apps without notice (as Tom points out). How come you couldn't give us at least enough notice to submit our requests for the data? I just filled out the request and it states it could take 7 days to process.

The change was made without notice warning to prevent bad actors from pre-emptively saving all orders from every shop they are installed on.  That being said a large majority of pre-approved apps viewing orders older than 60 days have been migrated to have the new permission automatically. If your app is one of them you will receive an email from the Shopify Apps Team today.

How will this prevent Apps from storing their own databases of orders if trust is a key feature in this change?

It doesn't.  It is up to each app developer to set their own standards of data privacy.

Posts:
3851
Last edited 6 months ago
g
3
upvotes

Wow. Nice one. Dropping the bomb on us I see. All for the well-being of clients. So I ask for permission. I get it. Now I need all my clients to approve the App again. Supposing they all do that without question, exactly nothing has been accomplished here. Except we get emergency drop everything work. 

Assuming we ignore Shopify directive Crazy999, hashtag #makingthingsupaswegoalongwithnonotice:

 

WHAT HAPPENS TO APPS THAT TRY AND GO BACK 61 or more days. Does Shopify feed us a 422 or something thus breaking our Apps and killing our chances of keeping happy clients?

 

PS I love how this is labelled under ECOMMERCE UNIVERSITY instead of a forum labelled LateBreakingNoNonsenseNewsAboutMakeWorkForDevelopers posts. Like it is shrouded in the deeper mysteries of learning and discovering great things instead of SNAFU morsels.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Ryan O Shopify Employee
Posts:
233
6 months ago
g
1
upvotes

If we have existing authed stores with read_orders scope and have the read_all_orders scope approved on our App do we have to get existing stores to re-authenticate their store with our app to get > 60 day access?

Yes, you will have to re-OAuth, this is the merchant agreeing to allow your app access to orders > 60 days.

On my apps, I can see they came pre-approved to access the full order history. However, I'm still unsure if I need to add the new scope to my apps, but will do it just in case!?

You will still need to add the new scope to your apps OAuth flow.

Posts:
226
6 months ago
g
1
upvotes

Thanks Ryan, makes sense :)

Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Harold Shopify Partner gaze.bo
Posts:
32
6 months ago

How does this change affect private apps? Do we also need to request Shopify for permission or can a merchant activate the new scope right away?

Posts:
3851
6 months ago
g
1
upvotes

I see nothing about asking for approval in my partner dashboard. Can you be more specific about this. Since it is a change needed today, and since I modified my App to read_all_orders am I now subject to waiting for a miracle, or have you pre-blessed this exercise?

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Luke Reeves Shopify Employee
Posts:
14
Last edited 6 months ago

How does this change affect private apps? Do we also need to request Shopify for permission or can a merchant activate the new scope right away?

Private apps are not affected by this change and automatically will have the scope.

Luke Reeves Shopify Employee
Posts:
14
6 months ago

Hey HunkyBill, in the App Setup section of the Partners Dashboard you'll either see a section to request all orders access or a a status message that says "Your app can access the full order history for a store."

Posts:
3851
Last edited 6 months ago
g
2
upvotes

So I have been blessed, pushed the scope change adding to my permission list request for read_all_orders, so I have nothing left to do but hope all merchants faced with seeing this scope change react positively to it, and do not uninstall in a panic of "whoa this is crazy stuff"... 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
71
6 months ago
g
2
upvotes

Hey all,

From my testing, those apps that are pre-approved to have the read_all_orders permission, the Shopify  update permission prompt did not show up when existing merchant acccess the app. The app still be able to access orders past 60 days :).

You still need to add read_all_orders in your OAuth flow for new stores that signup from now on.

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
Luke Reeves Shopify Employee
Posts:
14
Last edited 6 months ago

That's correct. Also to clarify the endpoint behaviour - any calls without both scopes present will all still work for listing orders and what not, but the data outside of what the app has access to won't appear (there won't be any 422 errors for example). If a single order is requested outside of the range a 404 will be returned as usual.

Currently we are ignoring the absence of the oauth scope to give merchants a chance to accept the new permission.

Posts:
226
6 months ago
g
1
upvotes

👆 What they (Zapfor Solutions) said! Can also confirm this is the same in my apps 🤗

Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Posts:
3851
6 months ago
g
3
upvotes

Grammartarian at work here. Hi!

Using words like "will have scope" implies this change is not yet production, and in the future. This post started with the implication of TODAY, not the future. Please choose your words carefully. It is confusing. Are we or are we not here and now? 

Also, saying a 404 will be returned as usual for an order out of range is conflicting with what 404 means, and not really usual. If I return the phrase to a client, "404 - Not Found" they will scoff at my lack of understanding since to them, the order they asked for certainly exists. I see that ice cream cone dad, but you're telling me you cannot find it? Boy, you're dumber than you look! 

All in all, seems like it is easy when it works, but there is room for head-banging here.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Luke Reeves Shopify Employee
Posts:
14
6 months ago

Both good points! When I said private apps will have the scope I mean that newly created private apps will have the scope automatically, and existing apps do have the scope.

I also agree that with APIs generally you would reply with a result explaining that access is forbidden, however from a security perspective in the design we erred on the side of caution to not expose the orders that do exist via a 422 instead of a 404 - it's similar to a website saying "Your username or password is invalid" as opposed to "Your password is invalid".

Posts:
10
6 months ago
g
4
upvotes

The way this announcement was posted was a "stop what you are doing and fix your broken app now" message.  This is thankfully looking like it is not the case.  I agree with HunkyBill that more caution in phrasing would be appreciated.  I've spent my morning trying to plan an emergency upgrade to my app as a result.

I think you should reconsider returning a 404 for orders fall outside the range.    Since Shopify has a global order id, anyone can guess valid order ids so I don't think this is the same as the email security case you mentioned.  I think a 403 unauthorized would be better.  When I see a 404 from Shopify apis that usually means something was deleted but that is not accurrate here.

Best Seller Insights: https://apps.shopify.com/best-sellers
Posts:
21
6 months ago
g
2
upvotes

This is very bad form from Shopify.

But since it's already done, I guess it's time to put out the fires.

Two points I'd like clarity on.

1. Once we have approval from Shopify to access all orders, do we now need to go back to all previous customers to ask them to re-oauth with the new scope? A clear Yes or No here is needed because I'm reading conflicting answers by Shopify employees.

2. It's not clear in the posts above or in the API docs about what the 60 day limit is based on. Is it since the order was created? What about if an order is updated on the 65th day? What about imported historic orders? This is especially problematic since previous orders are getting hidden with a 404 ("data outside of what the app has access to won't appear").

Eric Davis | Little Stream Software | Shopify apps to increase your repeat customers | http://www.littlestreamsoftware.com/apps/
JoshHighland Shopify Expert venntov.com
Posts:
52
Last edited 6 months ago

I agree. Can we please get some clear cut anwsers on this.

My app has been granted full read access. Do I need to re-auth for existing merchants, or just add the scope for new merchants?

 

Posts:
226
Last edited 6 months ago
g
3
upvotes

I'm also struggling to understand the difference with the 2 dates in the "Timeline" section of the email just sent out. The text is exactly the same for both dates. Can you please clarify?

June 6th, 2018: Public apps no longer able to access a merchant's orders older than 60 days without Shopify approval and new read_all_orders OAuth scope.

July 9th, 2018: Public apps no longer able to access a merchant's orders older than 60 days without Shopify approval and new read_all_orders OAuth scope.

Pastedgraphic 1 thumb
Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Posts:
13
6 months ago
g
1
upvotes

If relationships are built on trust, I'm sorry, but you've certainly diminished my trust in the platform. I can only imagine what other changes are in the pipeline that will be dropped on partners without warning. A change like this may be a minor nuisance for larger partners, but for smaller ones, with limited capacity, who've perhaps found a niche in the ecosystem and feel like they can compete and provide a valuable service, extra work forced upon them can really hurt, and can literally shut down a valuable service.

For all that Shopify talks about supporting and fostering their partner ecosystem, the fact that you sprung this change on all of us to "catch bad actors", and at the cost of forcing immediate changes on honest partners, makes it abundantly clear that Shopify _doesn't_ know their partners well at all. This will only serve to create a more contentious relationship in the future between Shopify and partners.

Happy to chat about all things ecomm, startups, tech. dylan@lightninginabot.com
Posts:
3851
6 months ago
g
1
upvotes

I've taken my fair share of abuse for my choice of words when I write, fair enough, and I have worked hard at developing and improving those skills. I never speak on behalf of a corporation, but instead prefer to face the music myself. A corporation with shareholders, cash in the bank, and most of all a large and established community needs to ensure communications are timely, clear, precise, concise and most of all, of utility

It is clearly still a struggle @Shopify to fulfill that mandate, as today proves. 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
18
Last edited 6 months ago

This is a mess :/. I say revert, let everyone do there thing and then apply this change. 

This is almost like when you rolled out the partner changes without getting the communities opinion first.

Shopfiy Expert UK - Benline.co.uk
Ryan O Shopify Employee
Posts:
233
Last edited 6 months ago
g
1
upvotes

Hey All, just want to clear up some confusion as we're seeing the same question a few times.

A) Private apps

  • No action required, have been granted the ability to view orders older than 60 days by default

B) Public App that has been approved to view orders older than 60 days (grandfathered)

  • No need to request the ability to see orders older than 60 days from Shopify
  • Have to add `read_all_orders` to their OAuth request in conjunction with either `read_orders` or `write_orders` before July 9th, 2018
  • After July 9th, 2018, will not be able to see orders older than 60 days on a per shop basis unless they have been approved by the merchant with `read_all_orders`

C) Public App that has not been approved

  • Can not add `read_all_orders` to their OAuth request without prior Shopify approval
  • Can not view orders older than 60 days as of today June 6th, 2018
  • If approved now has the same requirements as B)

 

 

For other questions see below

I'm also struggling to understand the difference with the 2 dates in the "Timeline" section of the email just sent out. The text is exactly the same for both dates. Can you please clarify?

The e-mail accidentally repeated the same section, I'll see if the team can send out an updated version. The sections should read:

June 6th, 2018: Approved public apps still have access to all order history. However, developers should update their apps to in include the read_all_orders OAuth scope.

July 9th, 2018: Deadline for approved public apps to add the new read_all_orders OAuth scope. Note that you must use the read_all_orders scope in conjunction with one of read_orders or write_orders scope. If OAuth scope is not added by this date, Shopify approval will be revoked and order access will be limited to 60 days.

 

The way this announcement was posted was a "stop what you are doing and fix your broken app now" message.

Hopefully the above clarifications help identify what steps you need to take as a developer.

at the cost of forcing immediate changes on honest partners

Apps that were previously viewing orders older than 60 days have been grandfathered, and will not be enforced until July 9th, 2018.  See above for details.

Posts:
122
Last edited 6 months ago

Hello Ryan,

The majoriy of apps that were previously accessing orders older than 60 days have been grandfathered into the new permission

Could you shed some light on the criteria for the approval?

We have one app that has not been approved and it's probably the most sucessful of our apps, it's been in the Shopify App Store for years, it has many Shopify Plus installations and hundreds of reviews, all of them positive.

Unfortunately, new customers are already experiencing the consequencies of not having access to the orders history and we cannot give them a good explanation for it because if we tell them that the app has not been approved they might think it is not trustworthy.

Ryan O Shopify Employee
Posts:
233
6 months ago

Could you shed some light on the criteria for the approval?

I'll see if the team has some info to share on this.  In the meantime I would recommend you complete the process to request access ASAP as I believe the team is reviewing the requests received today before EOD.

Posts:
122
6 months ago

Hi Ryan,

thanks for your fast response.

I would recommend you complete the process to request access ASAP

Yes, of course, we did that immediately when this post was published a few hours ago.

 

JoshHighland Shopify Expert venntov.com
Posts:
52
6 months ago
g
2
upvotes

Sorry, I’m still confused. My app was grandfathered, but the instructions are not clear to me. 

If I’m reading this corectly, by the 9th I need to re-auth ALL of my merchants with the new “read_all_orders”, and they need to approve the new request by the 9th, or my app loses the ability to read orders older than 60 days.

Am I correct? 

Luke Reeves Shopify Employee
Posts:
14
6 months ago
g
1
upvotes

Hey Josh, if you have incorporated the new OAuth scope into your application and have installs or re-authorizations detected then we will be backfilling that scope for the remaining installs on the 9th of July. To make this a bit easier if you trigger the OAuth flow, such as when a user clicks into your app, and the only new scope is `read_all_orders` then we will skip the installation screen (until July 9th) and add the new scope automatically.

JoshHighland Shopify Expert venntov.com
Posts:
52
Last edited 6 months ago

Sweet. Thank you for the explanation. The back fill makes it MUCH easier.

I've already rolled out the new scope and have some installs with it.

Posts:
3851
6 months ago
g
1
upvotes

I am curious as to the state of write_orders. Assuming I get access to the whole block of ten years of orders for my clients, can I read one from early 2017 and make a quick notation change to one of the writable fields? 

Does read_all_orders imply that with the write_orders scope, if you can read it, you can write it too? I assume you have not tinkered with the resources directly connected to an order as well. So if I read an order 61 days or older and choose to make a fulfillment on it, or otherwise work it, I can safely continue to do so. No other wiring is affected?

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
618
6 months ago
g
3
upvotes

It's hard to believe what I'm reading!

It seems to me the right way to roll this out would have been to at least inform pre-approved apps in advance, and I guess roll out the change to dev stores only first.

We just did an emergency update but this is tough for small teams and solo developers. What if one was on vacaction?!!

The change is so sudden and so confusing.

So I have to tell all merchants that installed the app today to login and update the app again?
It's not a good look for a brand new customer!

Many of us have apps that can be set up on auto pilot and the merchants may rarely need to actually log into the app.
Now we have to bother them? (Again, just like we had to for multi-inventory to request inventory scopes even though we could already read the inventory.).

Hey Josh, if you have incorporated the new OAuth scope into your application and have installs or re-authorizations detected then we will be backfilling that scope for the remaining installs on the 9th of July. To make this a bit easier if you trigger the OAuth flow, such as when a user clicks into your app, and the only new scope is `read_all_orders` then we will skip the installation screen (until July 9th) and add the new scope automatically.

Afer dozens of 'clarifications' this is still ambiguous. I don't understand this sentence can you please clarify? In what sense will it be 'easier'?

We have a public app that is approved.

If I understand, for existing customers, if the only additional scope that we request is read_all_orders, then the installation screen will be skipped. But do we even need to do this at all? Please clarifiy. That would mean we still need all our customers to open the app, and as I said, some apps are set up on auto-pilot (e.g. automatically send emails).

An actual grand fathering would have automatically granted read_all_orders to all existing installations that already have read_orders, and not just for a month. If I understand things correctly (it's confusing), the grand fathering is actually just till July 9th, unless an action is taken by the merchant.

Basically it's a repeat of the same confusion with the inventory scopes and read_products vs read_inventory....

I should say I'm in favour of this change, but I wish the roll out would be truly transparent to merchants..

 

 

Posts:
618
6 months ago
g
1
upvotes

Also if the merchant updates an order that is 61 days sold, will the webhook fire only for apps with the read_all_orders?

Posts:
3851
6 months ago
g
1
upvotes

Oh hey Shopify! 

Thanks for the changes. I just wasted couple of hours and wrote some stupid letters because I was developing some LOCALHOST code using the API and my development store, and some nifty code for some ShopifyPlus customers. I forgot that my development store has been MANGLED by your dictum of today. So when I was testing out my financial reporting code, using all the orders from January, here is what happened. 

ShopifyAPI::Order.count (the count endpoint) worked and told me I had 29 January orders.

ShopifyAPI::Order.all with the params for January returned NadaDenada.

For that here are my Take Aways.

#1. Nothing personal, but this SUCKS. My time I will never get back. The count should've been zero then maybe I might've clued in faster. 

#2. My development store being MANGLED is what really bugs me. Some punk made my shop obey these rules as if it belongs to a paying merchant when in fact I can GUARANTEE you this shop is older in years of service than 95% of Shopify Employees years of service, AND it is COMPED shop, no why cut its nuts off. SO YA, This sucks.

Enough ranting... I will find a way to make up this time on the Shopify DIME... no trouble with that... thanks for nothing!!

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
618
6 months ago

Most of merchants don't really undertand what updating an app means.

We want to show them a message prior to sending them to the approval screen, but now we have to consider that depending on the additional scopes being requested (read_all_orders only or more) and when (before / after the dead line), the approval screen may or may not be displayed, which is so confusing.

It's just really hard to design and implement a good experience for the merchant that is not confusing and doesn't bother them if they don't need to be.

Posts:
618
6 months ago
g
1
upvotes

Wait you're saying that /orders/count.json always includes all orders even if they are not granted?

JoshHighland Shopify Expert venntov.com
Posts:
52
6 months ago
g
1
upvotes

If that’s the case it’s going to be very confusing for apps to calculate things

Posts:
71
6 months ago
g
1
upvotes

Hey @Luke Reeves,

if you have incorporated the new OAuth scope into your application and have installs or re-authorizations detected then we will be backfilling that scope for the remaining installs on the 9th of July. To make this a bit easier if you trigger the OAuth flow, such as when a user clicks into your app, and the only new scope is `read_all_orders` then we will skip the installation screen (until July 9th) and add the new scope automatically.

My app is pre-approved and I have already incorporated read_all_orders scope into the OAuth process.

Correct if I am wrong, If at least one new store install and OAuth with the read_all_orders scope, then on 9 July Shopify will automatically grant the read_all_orders scope to all existing stores that already installed my app, even though these existing stores never re-authenticate with the new scope?

In another words, there is no need to notify every stores that they need to access the app to approve the new scope as long as one store install (or re-authenticate) with the read_all_orders scope. Am I correct?

 

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
JoshHighland Shopify Expert venntov.com
Posts:
52
6 months ago

That’s how I understand it.

Maris Shopify Partner excelify.io
Posts:
277
6 months ago
g
1
upvotes

After putting this scope change, the Shopify Plus users who don't have access rights in their store to install/reinstall apps, are getting the OAuth error that says that they don't have access rights to reinstall the app; and cannot access the app anymore.

This is quite damaging to our reputation, as they think that the app is just broken.

Other app developers - be careful with that.

Shopify, what is your suggestion - how to solve this in a decent manner?

Thanks!

Maris
Excelify.io

Excelify.io | Bulk Import Export Update with Excel | https://apps.shopify.com/excel-export-import | https://excelify.io
Harold Shopify Partner gaze.bo
Posts:
32
Last edited 6 months ago

The most logical thing to do would be state exactly that in the message.

And maybe add a list of the users who have full access (or access to apps) so the current user knows who to contact and doesn't blame the app.

Maris Shopify Partner excelify.io
Posts:
277
6 months ago
g
1
upvotes

Exactly.

But the thing is that they don't know about that change, and they shouldn't - right?

They just see the OAuth error, and assume that something is broken. Rarely who reads the text in such error pages and makes deep analytical conclusions what must they do.

And even if they do read, for a regular limited-access user this doesn't tell anything besides just "App doesn't work!".

Should the right solution be to spam all the app users with an e-mail telling that they need to open the app with users who have full permissions?

My suggestion would be to improve that error message and tell it there in a way that normal person can understand - not only what is wrong, but what they need to do to solve this. At least.

We solved the issue with this particular client - by having their manager giving them full access to apps, which was very unexpected for them.

Overall End-User Experience with this change craves for being thought-through for those scenarios, too.

Although, I appreciate care for improving the security of the platform - I really do.

Excelify.io | Bulk Import Export Update with Excel | https://apps.shopify.com/excel-export-import | https://excelify.io
Harold Shopify Partner gaze.bo
Posts:
32
6 months ago
g
1
upvotes

Getting users to open the app to get new scopes is annoying, even if they have full access. For the new inventory API switched one of my apps to the new scopes a few hours after Shopify enabled the new scopes and a number of customers logged in in the meanwhile, so the new scopes where overwritten by the old scopes for about 10 stores. Most of them thought my emails where somekind of phising and didn't actually logged into the app until I called them. Took be the better part of 2 days to get this fixed. 

Not a very ideal situation and not sure if there is a real solution for it. Maybe it would help if apps can eventually send messages to users through the new Ping app or if apps can add notices to the overview page of a stores admin section.

Maris Shopify Partner excelify.io
Posts:
277
6 months ago
g
1
upvotes

+1 from me to @Harold's suggestion.

Love your idea!

Excelify.io | Bulk Import Export Update with Excel | https://apps.shopify.com/excel-export-import | https://excelify.io
Posts:
3851
6 months ago
g
1
upvotes

Here is another example of annoying. I build Apps. Lots of Apps. I have thousands of customers using these Apps. Thing is, a lot of my Apps are PRIVATE between the merchant and Shopify. In that sense, no one at Shopify could possibly GRANDFATHER these and so it is now up to me to cherry-pick them, and fix them. 

And hey, I have API key pair for LOCALHOST and PRODUCTION, meaning two Apps for one. And hey, multiply that by 10, 20, or more Apps, and now I have to change them all for scope, NOW, and then sit around and bit twiddle waiting for Shopify to review EVERY SINGLE REQUEST so that THEIR clients (and mine) can continue using Shopify as per the usual. 

SO YA. THANKS FOR THE FUN... now how about reviewing this system in place. It makes it so annoying to work with this platform in this sense. 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
3851
6 months ago
g
1
upvotes

Reality:

App in development, in development store. Has ~ 200 orders, from 2013 to now.

It deals with Orders. All or some of them. Latest was booked in late April. 

I cannot test any of my code as the App has no read_all_orders scope. I ask Shopify. Told to wait 7 days. Yay.

Thing is, asking for these orders does not obviously generate anything other than a response of ZERO orders. No indication of a problem. No 404. No nothing. It is as if I asked a stupid question of the API. 

For that, I decry this whole debacle a half-thought out waste of time. The good thing is, everyone is learning on the job, and a rising tide floats all boats, so Shopify is gaining useful experience in how not to do things while at the same time, doing things deemed important. Management huffs and puffs, but ultimately declares a win.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
3851
6 months ago
g
1
upvotes

To those who scoff and say pffft, just use Developer Tools and auto-generate new orders so as to at least test with recent data. newer than the 60 day old limit... they be borked too... sigh...

 

Shopify thumb
Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
122
Last edited 6 months ago

Zapfor Solutions wrote:

Hey @Luke Reeves,

if you have incorporated the new OAuth scope into your application and have installs or re-authorizations detected then we will be backfilling that scope for the remaining installs on the 9th of July.
...

...

Correct if I am wrong, If at least one new store install and OAuth with the read_all_orders scope, then on 9 July Shopify will automatically grant the read_all_orders scope to all existing stores that already installed my app, even though these existing stores never re-authenticate with the new scope?

If would be very good if someone from Shopify could confirm or deny that point because I see a big leap between Luke's assertion and Zapfor Solutions' conclusion.

Thanks in advance.

Luke Reeves Shopify Employee
Posts:
14
6 months ago

My app is pre-approved and I have already incorporated read_all_orders scope into the OAuth process.

Correct if I am wrong, If at least one new store install and OAuth with the read_all_orders scope, then on 9 July Shopify will automatically grant the read_all_orders scope to all existing stores that already installed my app, even though these existing stores never re-authenticate with the new scope?

In another words, there is no need to notify every stores that they need to access the app to approve the new scope as long as one store install (or re-authenticate) with the read_all_orders scope. Am I correct?

That is correct, we use that as an indicator that you've successfully added the new OAuth scope to your application and then will be backfilling existing installs.

Luke Reeves Shopify Employee
Posts:
14
6 months ago

Getting users to open the app to get new scopes is annoying, even if they have full access. For the new inventory API switched one of my apps to the new scopes a few hours after Shopify enabled the new scopes and a number of customers logged in in the meanwhile, so the new scopes where overwritten by the old scopes for about 10 stores. Most of them thought my emails where somekind of phising and didn't actually logged into the app until I called them. Took be the better part of 2 days to get this fixed. 

Hi Harold, as stated above you do not have to explicitly ask merchants right now to reauthenticate - adding the scope to your OAuth flow will be enough so that we can then later backfill the missing scope.

Not a very ideal situation and not sure if there is a real solution for it. Maybe it would help if apps can eventually send messages to users through the new Ping app or if apps can add notices to the overview page of a stores admin section.

Those are great suggestions that we'll look into!

Luke Reeves Shopify Employee
Posts:
14
6 months ago

Here is another example of annoying. I build Apps. Lots of Apps. I have thousands of customers using these Apps. Thing is, a lot of my Apps are PRIVATE between the merchant and Shopify. In that sense, no one at Shopify could possibly GRANDFATHER these and so it is now up to me to cherry-pick them, and fix them. 

And hey, I have API key pair for LOCALHOST and PRODUCTION, meaning two Apps for one. And hey, multiply that by 10, 20, or more Apps, and now I have to change them all for scope, NOW, and then sit around and bit twiddle waiting for Shopify to review EVERY SINGLE REQUEST so that THEIR clients (and mine) can continue using Shopify as per the usual.

Hey Bill, all apps that are private have access to all historical orders. Development/Staging apps are harder to detect programatically but have always been approved for this scope when asked for (assuming the app is used for development purposes of course!) We have been fairly prompt responding to access requests so far and I encourage you to submit ones for any apps that have been missed.

Luke Reeves Shopify Employee
Posts:
14
6 months ago

If would be very good if someone from Shopify could confirm or deny that point because I see a big leap between Luke's assertion and Zapfor Solutions' conclusion.

Hey CBB, Zapfor Solutions' explanation is correct. We need to know that the applications are being maintained and properly will handle the new scope after that cutover so once we see installs you'll be good to go. Depending on the size of the shop we may look for more than 1 install but this is really just a verification step to ensure the merchants don't experience problems if you've received full access but don't ask for the scope.

Luke Reeves Shopify Employee
Posts:
14
6 months ago

To those who scoff and say pffft, just use Developer Tools and auto-generate new orders so as to at least test with recent data. newer than the 60 day old limit... they be borked too... sigh...

Sorry Bill, I've raised the issue with that team!

Posts:
3851
6 months ago

When you make a private App keypair, you do not get App level support. No webhooks, no proxy etc. So why would I use private App keys other than to gain some CLI access? What am I missing here... you expect to write all my EASDK Apps with private App keys? 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
3851
6 months ago

So someone at Shopify gave my development App approval (Cheers thanks!) and I just received ~ 200 emails informing me of each and every order ever placed in the store. 

So if GDPR is all about not spamming and not mucking with data, this bug is pretty much in the scope or sights of a mighty hunter looking for justice in frontierland with a bazooka. 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Posts:
3851
Last edited 6 months ago

Currently Shopify has just sent me ~400 emails alerting me to orders... can I expect 400 more? Do we hear 4000!!! Hear ye! Hear ye! You have a bot right the heck out of control... kill it please. 

 

 

Toomanyemails thumb
Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Ryan O Shopify Employee
Posts:
233
6 months ago

Currently Shopify has just sent me ~400 emails alerting me to orders... can I expect 400 more? Do we hear 4000!!! Hear ye! Hear ye! You have a bot right the heck out of control... kill it please. 
 

Glad to see you solved this.  Update for others, this problem was not related to this change.

Posts:
3851
6 months ago
g
1
upvotes

Yup. Was broken Developer Tools script that suddendly came to life!

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Harold Shopify Partner gaze.bo
Posts:
32
6 months ago

Hi Harold, as stated above you do not have to explicitly ask merchants right now to reauthenticate - adding the scope to your OAuth flow will be enough so that we can then later backfill the missing scope.

I understand that that is the case with this scope change, but I was explaining that the scope change for the new inventory API happened in a way that I did had to ask some of the merchants to reauthenticate if I wanted to use the API right away. Not something for this topic, but please send me an email if you want details on that as that whole process was very, very frustrating. :)

Luke Reeves Shopify Employee
Posts:
14
6 months ago

Yup. Was broken Developer Tools script that suddendly came to life!

Just came to post that it was back up. The team also recommends that (if you're on a Mac) you try out the downloadable developer tools from the same page. There's also an issue there for Windows support requests if that's your current platform.

Posts:
5
6 months ago
g
1
upvotes

No questions or answers here, just chiming in that I'm a Shopify Expert / Partner / app developer & think this has been very poorly executed. My team will stay up late doing urgent extra work and probably lose a customer or two, and that all seems to be factored into Shopify's planning here. Good vibes aren't exactly flowing right now.

Posts:
618
6 months ago

Not sure why some questions get answered and others don't, but if I understand the latest clarifications correctly, this is nowhere near as bad as I thought since merchants don't need to re-authenticate.

Maris, what happened to you really sucks, but I struggle to understand. How can users that don't have access to apps even open your app in the first place? Is because you are not using the EASDK (external app)?

Posts:
618
6 months ago
g
1
upvotes

Can we get some clarifications about exactly who can and cannot accept new scopes? To avoid issues like Maris described?

The docs are pretty light (see image attached). Assuming the app is embedded, is it possible for someone to be authorized to open the app but to receive an error if asked to accept new scopes?

If so, how are we supposed to detect whether the current user will be able to accept the new scopes or not?

 

 

Capture thumb
Posts:
618
Last edited 6 months ago

The fiasco continues.

Thank you Maris for bringing this issue to our attention.

After doing some additional testing, it turns out that even if you only request the additional scope read_all_orders, this can fail for limited users with:

Oauth error invalid_request: This app is requesting to be reinstalled and your account does not have permission to grant the requested access. You may be able to resolve this issue by reinstalling the app as the account owner

No wonder we had a few uninstalls already. We are now reverting our fix until further guidance is given here. Please?

Posts:
618
6 months ago

The installation screen notice is quite scary and the following message shows in yellow, like a warning.

Shouldn't be be green since the message is saying the app was checked?

Shopify has reviewed <app_name> and verified that it needs access to all past and future orders to provide value to you. 

Maris Shopify Partner excelify.io
Posts:
277
6 months ago

Hi, Clement!

Maris, what happened to you really sucks, but I struggle to understand. How can users that don't have access to apps even open your app in the first place? Is because you are not using the EASDK (external app)?

Shopify Plus has more detailed access rights - you can set the permission to either allow to "Install the app" or "Use the app". Typically users have access only to use the app, which raises that OAuth error when the app needs to be auto-self-reinstalled - in this case of scope changes.

Actually, Shopify Tech team is very supportive in this case - they are solving now by populating those scope changes to all the stores so that those existing stores don't have to auto-reinstall the app when they next time will open the app.

So thanks to Shopify Tech team. Really appreciate that you are doing this. I assume this will be done for all the apps, so the Plus users will not have that OAuth error.

Maris

Excelify.io | Bulk Import Export Update with Excel | https://apps.shopify.com/excel-export-import | https://excelify.io
Posts:
618
6 months ago

Thanks Maris for the clarification.

But I was able to replicate the issue on a dev store by creating a user that has access to apps but doesn't have full access.

 

Actually, Shopify Tech team is very supportive in this case - they are solving now by populating those scope changes to all the stores so that those existing stores don't have to auto-reinstall the app when they next time will open the app.

I'm so confused, is this yet another change? 

Maris Shopify Partner excelify.io
Posts:
277
6 months ago

Oh, wow - then that means that not only Plus users are affected but also regular stores.

That actually makes sense because, in order to install the app, you need to have a Full Access.

I'm so confused, is this yet another change?

I understood that it's the change in the Shopify Platform database as for what stores need to reinstall the app because of scope changes. As I understand that, they are setting the permissions as if they were already approved by those stores where the app is already installed so that users don't have to have that Full Access permission.

Excelify.io | Bulk Import Export Update with Excel | https://apps.shopify.com/excel-export-import | https://excelify.io
Posts:
226
Last edited 6 months ago
g
3
upvotes

Hey Apps Team,

I'm sure your team wasn't given enough time on this urgent change to be able to A/B test the new auth flow to see the conversion rate impact that this update causes, so I'm kindly asking for you to re-consider using the "warning" state on the permission screen banner.

If we look at the Polaris documentation on banners (https://polaris.shopify.com/components/feedback-indicators/banner), and selecting a Warning banner, we see: "Seeing these banners can be stressful for merchants so be cautious about using them."

Stress is the last feeling we want merchants to have about our apps during installation, and will affect conversions negatively. Even if it's just 2 out of 10 that get stressed, that's a 20% reduction in conversions.

Side note: The top of the banner could use a bit of margin ;)

As the majority of apps have done nothing wrong, it seems unfair that we are the ones being punished by this change. My apps have all been pre-approved and deemed trustworthy to use the full order history, so I please ask you to use an "Informational" banner instead. It's still very noticable, just without the stress factor.

Please keep in mind we base our livelyhoods on these apps and giving customers a great experience, while also doing everything we can to protect a merchants data. Seemingly small changes like this have great impact on our businesses (which also explains the reason for such passionate posts in this forum).

Either way, I hope your week ends less stressed than it started.. have a great Friday!

Many thanks,

Bjorn

 

Ps. Just for fun (it is Friday after all), I added a similar warning to the Shopify signup page for a little context on what is happening here:

Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Luke Reeves Shopify Employee
Posts:
14
6 months ago
g
2
upvotes

Hey Bjorn, we are making a change to the callout shortly to use a more neutral colour.

JoshHighland Shopify Expert venntov.com
Posts:
52
6 months ago

Luke - Thank you for being responsive on this.

Bjorn - Good catch on this!

Harold Shopify Partner gaze.bo
Posts:
32
6 months ago

Hi Harold, as stated above you do not have to explicitly ask merchants right now to reauthenticate - adding the scope to your OAuth flow will be enough so that we can then later backfill the missing scope.

Hi Luke,

I've ran some tests and as far as I can see the information shared above is not correct in all conditions and it all has to do with timing.

- Shopify added the new scope, grandfathered to some apps, the stores that have that app installed got that new scope automatically.

- But if the merchant reauthenticated the app before the app developer added the new scope to the auth flow of the app, the scopes the merchant has access to is overwritten by the reauthentication and  therefor the merchant must reauthenticate after the app developer has added the new scope.

I understand that you will backfill the scopes at a later date, but if you want to use the new scopes now it doesn't work until the merchant has reauthenticated with the correct scopes.

Harold

Posts:
27
6 months ago
g
1
upvotes

Hi guys,

I am also seeing the same error as Maris and Clement.

Oauth error invalid_request: This app is requesting to be reinstalled and your account does not have permission to grant the requested access. You may be able to resolve this issue by reinstalling the app as the account owner

Thankfully I caught this early and rolled back the release :-/

I 100% understand the need for Shopify to pro-actively make changes in the spirit of protecting their customers but I feel like this could have been handled in a much better manner :(

Steve Conroy. CEO. Shopify Booster Apps (https://apps.shopify.com/partners/booster-apps)
Luke Reeves Shopify Employee
Posts:
14
6 months ago

If you run into any issues like this with the limited users then please reach out to our support address at read-all-orders-request@shopify.com and we will work with you to correct it.

Posts:
226
6 months ago

Fantastic news on the callout, thank you Luke :)

Bjorn Forsberg | FORSBERG+two | Award-winning Shopify Apps since 2011
Posts:
71
6 months ago

Hey Luke,

The "re-installation" message may cause problem. 

Oauth error invalid_request: This app is requesting to be reinstalled and your account does not have permission to grant the requested access. You may be able to resolve this issue by reinstalling the app as the account owner

I had a user who has limited access seing this message almost ask the account owner to uninstall and install the app again becasue the message suggest reinstalling the app. My app delete all the data belong to a shop immediately after the shop unistalled the app. If the account owner has done that, all the data entered to the app will be gone. This particuar user checked with me first luckily.

I didnt test but does this also happen say if my app evloved, it needs new permission and I update my app to request a new permission?

May be the word reinstalled is not appropriate in the context related to permissions change. A more specific message to ask account owner to login and accept new permission will be much more appropriate.

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
Posts:
618
6 months ago

I agree with Zapfor, we also delete all merchant data upon uninstallation.

The wording is confusing.

Posts:
21
6 months ago

Hi all,

Just on the re-auth sequence, if i login as a normal user i get the error saying i must login as the store owner.

If i login as the store owner, i expect to see a page prompting me to accept the new permission changes, however that doesn't seem to appear, however it is automatically accepted, if i login again as a normal user, there is no more prompt asking me to approve/reinstall.

Anyone else experience this?

Luke Reeves Shopify Employee
Posts:
14
Last edited 6 months ago
g
1
upvotes

Hey everyone, we made a change that temporarily allows limited users to update an app, granting the `read_all_orders` OAuth scope if it is the only OAuth scope being added. This resolves the issue of limited users seeing an error screen if they were the first to click on the app after the `read_all_orders` scope was added, as limited users do not have the ability to update apps. This temporary change will only be in effect until July 9, 2018 which is the deadline for adding the `read_all_orders` OAuth scope to apps who have been approved by Shopify to read all orders.

This should clear up anyone receiving the above mentioned errors requesting the store owner to re-authorize/re-install the app.

Posts:
618
6 months ago

Thank you Luke for implementing this work around.

Assuming an app has had new installs with read_all_orders by July 9th, it is not needed to re-auth existing installs and leverage this work around since all existing installs will be 'backfilled' anyway. Correct?

Posts:
71
6 months ago

Excellent Luke!, thanks for allowing limited users to allow updating an app :)

SimplyCost - Add costs and track profit (https://apps.shopify.com/simplycost)
Sufio Shopify Partner sufio.com/shopify
Posts:
51
Last edited 6 months ago

Hey all. This is the behaviour we are seeing after adding the `read_all_orders` scope to the list of our existing 3 scopes - When we perform the oauth the API returns the original token and scope (the one we saved with old scope before) without asking for any extra permissions. Is this expected ? Will this change after July 9th ? If yes how ? Thanks for any answers.

Sufio - Automatic invoices for Shopify stores.
Alex Richter Developer Experience
Posts:
901
6 months ago

@Clement - I came across someone asking the question about webhooks firing for orders older than 60 days in one of my circles and was able to determine that they should in fact still be firing, so that visibility should not be interrupted. Just wanted to post here for anyone else who might be unsure and for just in case you never got an answer.

Cheers.

Posts:
618
6 months ago

Thanks Alex. Good to know.

Posts:
19
5 months ago

Hi Guys

We are trying to submit the request to read_all_orders. While we are doing this we always get an error: There was an error sending your request.

Our app prints shipping labels for orders when they are fulfilled. Depending on the stores business model or the backorder situation this can happen later than 60 days after the order has been placed. Therefore we need access to the full order history.

Thanks for your help!

Best

TW

Posts:
81
5 months ago

Can anyone tell me what the timeframe is for getting my apps the additional permissions?  My app isn't even on the app store, so I am not sure why this is happening to me.

I have a very upset client, and my apps are not working anymore!

I asked for the additonal permissions 10 days ago, (7 working days) and have heard nothing!

Please help!

 

Shopify app developer and consultant