Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Shopify GraphiQL API works for admin but not in storefront

Shopify GraphiQL API works for admin but not in storefront

Aljazari
Tourist
14 0 1

Hello!

i have been posting this issue over two week but no one can anser the questions.

i have an app it is public not private !

 

I use some variables for Admin side it works perfect!

url : /admin/api/2020-07/graphql.json

if (!is_null($token)) $request_headers[] = "X-Shopify-Access-Token: " . $token;
$request_headers[] = "Accept: application/json";
$request_headers[] = "Content-Type: application/json";
$request_headers[] = "Host: ".$shop;
$request_headers[] = "cache-control: no-cache";

--->OK

$token variable is access key for shopify user who installs the app and i get the key durring installation.

I know it is different options for public app to use graphql api so i use same token for  strofront!

url : /api/2020-07/graphql.json

if (!is_null($token)) $request_headers[] = "X-Shopify-Storefront-Access-Token: " . $token;
$request_headers[] = "Accept: application/json";
$request_headers[] = "Content-Type: application/json";
$request_headers[] = "Host: ".$shop;
$request_headers[] = "cache-control: no-cache";

 

----> NOT OK!

response return empty and response code is 403

i did not understand what shopfy means in the documantation about "X-Shopify-Storefront-Access-Token"

i do not see any spesific key for this method. by the way my app is not in sale channel.

one test store installed the app and i am using access key for that store in $token; variaable.

if you ask where do i generate $token; variable, here is the answer:

$api_key = "ad610a996a4aa4f3546890eexxxxxxxx";
$shared_secret ="shpss_511156b13933c45808857dedxxxxxxxx";
$params = $_GET; // Retrieve all request parameters
if(isset( $_GET['hmac']))
$hmac = $_GET['hmac']; // Retrieve HMAC request parameter
 
if(isset($_GET["shop"]));
 $shop=$_GET["shop"];
$params = array_diff_key($params, array('hmac' => '')); // Remove hmac from params
ksort($params); // Sort params lexographically
 
if(isset($params["url"]))
unset($params["url"]);
$computed_hmac = hash_hmac('sha256', http_build_query($params), $shared_secret);
 
// Use hmac data to check that the response is from Shopify or not
if (hash_equals($hmac, $computed_hmac)) {
 
// Set variables for our request
$query = array(
"client_id" => $api_key, // Your API key
"client_secret" => $shared_secret, // Your app credentials (secret key)
"code" => $params['code'] // Grab the access key from the URL
);
 
// Generate access token URL
$access_token_url = "https://" . $params['shop'] . "/admin/oauth/access_token";
 
// Configure curl client and execute request
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $access_token_url);
curl_setopt($ch, CURLOPT_POST, count($query));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($query));
$result = curl_exec($ch);
curl_close($ch);
 
// Store the access token
$result = json_decode($result, true);
$access_token = $result['access_token'];

//$access_token is equals $token variable.

however, i cannot access data with graphql api for storefront api

please help me to solve this problem..

Thank you!

Replies 2 (2)

Aljazari
Tourist
14 0 1

{
"headers":{
"status":"HTTP\/1.1 403 Forbidden\r",
"Date":"Sun, 23 Aug 2020 15",
"Content-Type":"text\/html",
"Transfer-Encoding":"chunked",
"Connection":"keep-alive",
"Set-Cookie":"__cfduid=dee7e7fedaf75df668529f0e99dc68a061598197281; expires=Tue, 22-Sep-20 15",
"X-Sorting-Hat-PodId":"148",
"X-Sorting-Hat-ShopId":"45358055573",
"Vary":"Accept-Encoding",
"Access-Control-Allow-Origin":"*",
"X-Frame-Options":"DENY",
"X-ShopId":"45358055573",
"X-ShardId":"148",
"Content-Language":"tr",
"Strict-Transport-Security":"max-age=7889238",
"X-Request-Id":"d2881d60-818e-49a1-a648-31f9ebd9fdd7",
"X-Shopify-Stage":"production",
"Content-Security-Policy":"frame-ancestors 'none'; report-uri \/csp-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7",
"X-Content-Type-Options":"nosniff",
"X-Download-Options":"noopen",
"X-Permitted-Cross-Domain-Policies":"none",
"X-XSS-Protection":"1; mode=block; report=\/xss-report?source%5Baction%5D=query&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=api%2Fgraphql&source%5Bsection%5D=api&source%5Buuid%5D=d2881d60-818e-49a1-a648-31f9ebd9fdd7",
"X-Dc":"gcp-us-east1,gcp-us-east1",
"CF-Cache-Status":"DYNAMIC",
"cf-request-id":"04bd944a8500000f72df2e0200000001",
"Expect-CT":"max-age=604800, report-uri=\"https",
"Server":"cloudflare",
"CF-RAY":"5c75eff0db4b0f72-MXP",
"alt-svc":"h3-27=\""
},
"response":""
}

Kevin_A
Shopify Staff
318 42 61

Hey @Aljazari 

You might want to check out this documentation on getting the storefront access token: https://shopify.dev/docs/storefront-api/getting-started, specifically the part for public apps. 

Kevin_A | Solutions Engineer @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog