App development: handle "install app (no iframe)" and "open app (with iframe)"

New Member
2 0 0

I'm developing a Shopify App for a customer (php + react-scripts), the App was rejected because the install does not redirect to OAuth (at the time I was returning Javascript which escaped from the possible iframe and redirected to OAuth, it works with the "test app with a shop" from the Partners admin page and opening the application from the shop admin page).


The problem I've is that the http request that I receive for the "install" and the request for the "open application from the shop admin page" are the same, the only difference I noticed, the "open" adds a variable "session "in the query string.


I need to distinguish if the request is "install" or "open" because in the second case the App is executed within the iframe and if I redirect directly I receive a Content-Security-Policy error in Firefox, an X-Frame-Options deny in Chrome, Safari does not show the App (the redirect is blocked). My understanding is, if it is an "open" I should instead go back to the Javascript that escapes from the iframe and then redirects to OAuth (as shown in the examples of Getting Started with App Bridge).


I have searched the documentation and the Community forum but have not yet found an "official" reference to this "session" variable or how to recognize and handle if I am installing or opening the application.


Can I use the "session" variable to distinguish or are there other better/"official" solutions?


Thanks in advance