At my company we've been trying to amend our Shopify app to no longer need browser local storage, but we've been having difficulty updating our auth flow.
We've attempted to consult several pages from the docs but on each we ultimately find ourselves stuck.
* https://shopify.dev/apps/auth/oauth/session-tokens/getting-started : We can implement Step 3 to validate the session token, but the implementation of Step 4 is unclear to us. We believe that the purpose of the step is to go through the oauth flow to get a permanent access token, but the step itself does not explain how the flow should work except by linking to another, presumably older page which appears to outline the flow that we currently use. The step seems to allude to the fact that we should be using this flow as it talks about detecting "the first time that the shop is loading your app", but previously we were able to determine whether the user was on their first, second or third visit to our app's Shopify auth route by storing state in the browser, and our understanding is that we can no longer do that.
* https://shopify.dev/apps/auth/oauth/update/node-php : We can implement Steps 1 and 2 to direct the user to a new iframe escape route, but upon reaching Step 3 it is not clear how we're supposed to proceed. What is the "embedded app URL"? Is it the Shopify URL of the app? Is it the URL of our app within the iframe? And when we do the redirect, what are we supposed to do next? Furthermore, we can't find an explanation for the purpose of "escaping the iframe".
Various doc pages suggest using Shopify's API libraries and consulting the provided example applications, but these are of limited help to us as we have a React SPA frontend with a Kotlin backend.
Additionally, our SPA uses a hash router, but configuring a Shopify app to have a hash in the App URL results in the iframe's query parameter's appearing before the route. So while we would expect the URL of the iframe to have this form: