Dedicated to the Hydrogen framework, headless commerce, and building custom storefronts using the Storefront API.
Hi all,
I am running two self-built private apps on a production shopify. The 2 apps are embedded app with react frontend and koa.js backend and the authentication are using the deprecated koa-shopify-auth (https://github.com/Shopify/koa-shopify-auth). Here shopify node package versions of the 2 apps.
KoaJS backend
"@shopify/koa-shopify-auth": "^3.1.70",
"@shopify/koa-shopify-webhooks": "^2.5.0"
React frontend
"@shopify/app-bridge-react": "^1.27.2",
"@shopify/polaris": "^5.2.1",
"@shopify/polaris-icons": "^3.12.0",
"@shopify/react-router": "0.0.34"
The koa-shopify-auth is deprecated and it suggested the user to migrate the cookie-based authentication to session tokens. On the other hand, i am not using the @Shopify/shopify-api for verifying the http request from the reactjs frontend. And the backend koajs calls the shopify api thru axios client.
So my question is if i keep the following setup, will it stop working in the upcoming shopify update like the winter 2023?
Thanks.
Regards,
Kit
Solved! Go to the solution
This is an accepted solution.
Got the reply from shopify support, they said according to their documentation
https://shopify.dev/docs/apps/auth/oauth/session-tokens
All embedded apps need to use session tokens because third-party cookies won't work with browsers that restrict cross-domain data access. If your embedded app still uses cookies and could pose a risk to users, then as part of our app audit process you might be contacted and requested to migrate your app to use session tokens. This request will require immediate action.
So i guess there is no a deadline when the cookie authentication will stop working. But if your app is a public app, they user may not able to use it if their browser blocked the 3rd party cookies.
Last time I checked Shopify-Koa uses JWT authentication
I am facing same problem for my public app ?
Did you get any solution or migration is the only option?
Thanks,
Pravin
No update yet.
This is an accepted solution.
Got the reply from shopify support, they said according to their documentation
https://shopify.dev/docs/apps/auth/oauth/session-tokens
All embedded apps need to use session tokens because third-party cookies won't work with browsers that restrict cross-domain data access. If your embedded app still uses cookies and could pose a risk to users, then as part of our app audit process you might be contacted and requested to migrate your app to use session tokens. This request will require immediate action.
So i guess there is no a deadline when the cookie authentication will stop working. But if your app is a public app, they user may not able to use it if their browser blocked the 3rd party cookies.