Aggressive bot detection with 429 errors AJAX Cart API

Hey @Paige-Shopify is anything being done about this? As a theme developer this is frustrating I simply cannot work on my clients site right now as I am being rate limited after only a few minutes of loading the dev store.

The issue for us is a little different to others but related. We are using Vue.js to create our collection grid so we need to fetch each product one-by-one which causes 20-30 GET requests to product urls every few seconds.

This never used to be an issue until now.

Can we get some clarification on if this will be addressed or not?

Unfortunately another very frustrated merchant reported to us the issue of unnecessary bot detection challenge when adding products to cart.

The app makes just one request to add the products to cart, so there’s no real reason to trigger the bot detection.

I hope this problem gets solved ASAP because merchants are losing sales.

TLDR for anyone just joining us:

  • We introduced new bot protection measures for the cart.
  • Based on the feedback provided, we adjusted these measures.
  • If you are a developer or merchant needing to run tests on a shop, we recommend following the approach in this Help Center article so we can verify your requests.
  • We are still working on a fix for CLI users and VPN users.
  • All users will be able to complete the challenge in order to continue shopping.

@Dmitri_Pavlutin you’re right that a single cart request shouldn’t be affected. Can you have the affected shop reach out to support so we can investigate that further?

@Paige-Shopify The merchant already reached out to Shopify customer support.

This was the response from support:

This does mean that after I refresh the Cloudflare from the domain that you have, and the issue is still happening. It might be best to coordinate with the Boxi app directly to modify how they handle the redirect and cart interaction.

What I’m going to do from my end is that I will have to refresh the Cloudflare from my side, and let’s monitor the changes through your store after or within 24 hours

Our app simply does just one standard add to cart request and after that redirects to cart or checkout page.

Thanks for sharing @Dmitri_Pavlutin!
I took a look at that ticket, and it seems the conversation somehow ended up focusing on Cloudflare itself :sweat_smile:

Have you been able to replicate the issue on that shop at all?
I’m looking for a request ID for a cart request that didn’t get a 429 response, so I can investigate the responses that did get a 429 response.

@Paige-Shopify

I was able to replicate the problem at that moment when the merchant reported the problem, but now it seems to work fine.

Also the merchant is sharing the links to the Boxi builders in newsletters - so maybe spikes of visits from the newsletter triggers the bot detection.

Also, as many partners mentioned in this thread, the verification seems to be broken. It is fine that Cloudflare shows a verification page to detect whether I am a bot or not - and if I pass the verification, I would expect the add to cart action to work as expected. However, this is not the case. I passed the verification, but when adding products to the cart, the verification is triggered again - which actually fails and creates the problem.

@Dmitri_Pavlutin, that’s alright, I’ll continue digging into our logs to see what I can find.

Appreciate the confirmation that you’re experiencing the same issue with the Cloudflare verification page. We’re looking into that now.

To everyone else, we’ll make adjustments based on feedback to reach a solution, so please keep the feedback coming in!

I’ve tried testing our extension with this app and after 1-2 ā€œadd to cartsā€ we just get spammed with cloudflare tests:

@Paige-Shopify

Main github issue: [Bug]: "Your connection needs to be verified before you can proceed" Ā· Issue #6416 Ā· Shopify/cli Ā· GitHub

Here’s more topic around networking issues. The networking issues are causing a lot of headaches when working on themes locally. Any ETA on a fix?

@mrkaluzny, we have just released a fix for CLI in version 3.92.1.

Has this been fixed for the AJAX API? We’ve been trying to find a workaround for this issue but nothing so far has worked. We’re worried that this is impacting conversion for some sessions since we rely heavily on the AJAX API for a dynamic pop-out cart.

Still hitting those rate limits locally with version 3.92.1 as well as seeing this happening for live stores. This is still ongoing

1 Like

I’ve updated to @shopify/cli latest version and still get blocked after 2-5 page refreshes using localhost.

If I use the actual dev Shop it takes longer, but we still see this problem.

Nott sure why Shopify decides to spend so much resources on AI tokens, but decided to start blocking cart requests.

Been running into these 429 errors this morning while trying to test some cart changes using shopify theme dev. I can add about 3 products to the cart before I get locked out with 429 errors for several minutes. This is really frustrating, I need to add dozens of items to the cart to test the theme feature I’m working on!

Although we had shipped a fix for this in CLI version 3.92.1, thanks for letting us know you’re still encountering issues with it.

Just a heads up that we’re mostly discussing 429 errors with CLI here:

For anyone still experiencing 429 errors, please DM me or send me an email (josh.faigan@shopify.com) with your shopify store domain that you are working with IE (mystore.myshopify.com). It will let us check logs to see what is happening. If I can get more information I will be able to chat with our other teams. Thank you so much!

1 Like

Hi guys,

When using an Express VPN on our live site and after adding to cart a couple of times getting the 429 response rate limit messages and the cloudflare verification for a simple cart retrieval. Nothing fancy on the cart page just trying to load the cart from a simple add to cart.

is there a fix for this yet?