I've recently had the case that a user un-installed my Shopify app and instantly re-installed it. This caused a problem because I store all my users in a DB table.

Login/Installing works as follows:

1. The user tells me his shop URL
2. I forward the user to example.myshopify.com/admin/oauth/authorize where access is granted to my app
3. I check if that shop URL is already stored in my local user DB
   • If not: I request a permanent access token and forward the user to the plan selection page
   • If yes: I get the stored permanent access token from the user DB and log the user into my app

Uninstalling:

1. The user uninstalls my app in his Shopify backend
2. Shopify sends a webhook to my app
3. I remove that user's data from the user DB

The problem is that the webhooks are sometimes delayed. If an user uninstalls and instantly re-installs, my app will think the install is a login attempt, and will use the now invalid access token stored in the user DB.

I figured I could just check if the redirection from the authorization page contains a temporary access token, and if yes, it would be a new installation, but it seems the access token is returned even if the app has already been installed.

So my question is: How can I handle instant re-installation gracefully? Surely there's something that I'm overlooking, there can't be such a huge "logic bug" in the Shopify API?

I've had this problem with my apps as well lately. Webhooks only started getting delayed in the last 2 months, and I'd be surprised if most apps out there weren't suffering from this regression bug now.

The way I deal with it is - when the user is redirected to the app and the old db object/token is still present in the database, try calling a dummy API call to the Shopify API (something like get shop details) with the token you have. If you get a 403 Unauthorized response, invalidate the user session and refresh the stored token.

Another problem is that after a minute or two when the original uninstall webhook does fire, do the same procedure - check for a 403 response. If you DON'T get a 403, then you know that the webhook is old and shouldn't be acted upon, because if you get a 200 OK it means that your token is good and that the app is still installed.

It's a bit convoluted and it added a fair bit of code to my apps, but it's the only thing I could think of on a short notice - because merchants do uninstall/re-install quickly fairly often.