Embedded app Auth0 flow

Highlighted
New Member
1 0 0

Hi,

 

I already have a working public app which performs the initial Auth0 installation flow, and the shops offline access token is stored in my database. I also have a working proxy which sends calls from storefront to my server, and I can successfully verify the Shopify generated signature coming from the proxy, and retrieve the corresponding shops access token to make requests to the Admin API.

 

Now I want to make calls from my embedded app to my server and then to the Shopify Admin API. The only difference between this process and the process from a storefront is that on the storefront I have to use a proxy, which adds a signature onto my request so that I can perform HMAC verification. 

 

Should I do a similar process when making calls from my embedded application, and if so how?

 

I followed a Node.js and React tutorial in part to get to where I am, and as I have it working, my embedded app already has access my apps' API_KEY and SHOP_ORIGIN. So I technically could simply send a POST request to my server from the embedded app, sending the SHOP_ORIGIN, then in my server query my database for the corresponding shops offline_token, and with that make a call to the Admin API. However it feels like I'm skipping some sort of a verification step (like the signature for app proxies). In order for this to work I need an endpoint on my server which just takes a SHOP_ORIGIN and can make any Admin API request with only that, in which case why do I even need to verify signatures for an app proxy? 

 

Should I?

- Generate an online access token everytime an embedded app is created and use that instead of the offline access token (since I have access to my apps' API_KEY in my embedded app)?

 

If so, what is the redirect_uri in this context?

0 Likes
Highlighted
Shopify Staff
Shopify Staff
948 125 132

Given the embedded app is loading an app from your server, you could create a session on the initial load (once you validate the request), and then check the session on API requests, something like:

 

// On app load, validate the request and then:
session['shop'] = 'some-shop.myshopify.com'

// On API request
if (session['shop']) { ...
0 Likes