Focuses on API authentication, access scopes, and permission management.
Hello everyone,
I am currently facing an issue with my application ( it's based on remix starter app ) where the access token and scopes stored in my database ( sqlite for now ) become outdated when changes are made on the Shopify level.
I know that on activation, `shopifyApp` uses sessionStorage to handle the creation of a database record after the user accepts permissions. The database record looks like this:
{ "id": "offline_test.myshopify.com", "shop": "test.myshopify.com", "state": "", "isOnline": false, "scope": "read_themes,write_products", "accessToken": "shsgb_8e0c33a5518dddf799cb0bf089c6059d" }
The `PrismaSessionStorage(prisma)` handles the creation of this record, but it doesn't seem to handle updating this record when something changes on the Shopify level. I do see however that if I deleted the record, a new record with a working accessToken is created. I'm aware that the uninstall webhook should handle that when uninstall/install happen, but assume I for any reason the session record wasn't deleted from the database before the accessToken is changed. An example scenario is, I changed access scopes, deployed the app to Shopify, and accepted the new scope which then generates a new access token for the Shopify store ( or simply my app was offline when I made access scope changes ). However, after this whole process, this sessions table still holds the old scopes and accessToken which doesn't work when I try to make specific requests to `https://test.myshopify.com/admin/api/2024-04/graphql.json` for example, it doesn't update the scopes or accessToken when I `run app dev` following the changes.
Again, the issue is solved when I remove the database record and run the app again `run app dev`.
I've tried using `afterAuth` but it does not work in this case because it's only triggered if Shopify found that the existing session is not valid. But for some reason, the existing session is detected as valid based on the logs, but using the same session accessToken to call a Shopify endpoint proves it's not valid.
Also, to give you a little bit of context. I created an extension which renders a button on the frontend, this buttons connects to an appProxy which then connects to my api route providing the retrieved token which I then use to call something `https://test.myshopify.com/admin/api/2024-04/graphql.json` but it's not always working due to the issue described above.
I would appreciate any guidance or suggestions on how to handle this issue. How can I ensure that the access token and scopes in my database are always up-to-date with the Shopify level?
Thank you in advance for your help.