Is it possible to use an app proxy to generate a draft order?

KOVIKO
Shopify Partner
14 0 0

I would like to create a form for the user's shop that generates a draft order on submission. Howeverif I'm understanding app proxies correctly—app proxies don't have the authorization to make any changes on behalf of the shop. The app proxy is essentially separate from the shop and the app in that it does not have an access token to use in order to make API requests.

How do I make API requests on behalf of the requesting shop from an app proxy?

Replies 5 (5)

KOVIKO
Shopify Partner
14 0 0

If it isn't possible, what would be a smart way to accomplish this? Can I, for example, submit the form from the proxy to the shop and then let the shop handle it?

hassain
Shopify Staff (Retired)
624 104 188

Hi @KOVIKO ,

 

Howeverif I'm understanding app proxies correctly—app proxies don't have the authorization to make any changes on behalf of the shop. The app proxy is essentially separate from the shop and the app in that it does not have an access token to use in order to make API requests.

This is correct. 

 

How do I make API requests on behalf of the requesting shop from an app proxy?

It is not possible, and it is also not good practice, to make Admin API requests from the front-end app proxy running on a web browser. Firstly, your API Request be blocked from the browser due to the CORS policy Shopify has set-up on our end (there are plenty of forum posts about this: https://community.shopify.com/c/Shopify-APIs-SDKs/Using-APIs-from-a-different-origin-domain/td-p/502...). Secondly, by making an Admin API request from an app proxy / web browser it means that your API credentials will be open and public for anyone visiting your store's site to see - which is extremely dangerous. 

 

If it isn't possible, what would be a smart way to accomplish this? Can I, for example, submit the form from the proxy to the shop and then let the shop handle it?

I'd recommend that you should submit the form from your app proxy to the back-end server the app proxy runs on. From this back end server you should save your Admin API credentials and make the Admin API request to create the draft order.

To learn more visit the Shopify Help Center or the Community Blog.

KOVIKO
Shopify Partner
14 0 0

Thank you for responding @hassain. I was worried this was just going to get lost. 😞

 

I'd recommend that you should submit the form from your app proxy to the back-end server the app proxy runs on. From this back end server you should save your Admin API credentials and make the Admin API request to create the draft order.

How would I do this? Like, to where would I make the submission? Would the URL responsible for handling the request be a part of the embedded admin?

Or, rather, would I need to take the admin credentials of every shop that authorizes my app and save it on my server? And, if so, is there an accepted means of doing this securely? I don't want to jeopardize the security of my users.

I'm honestly not even sure what I should be looking for in order to solve this. Does anyone know of any Shopify documentation for accomplishing this?

KOVIKO
Shopify Partner
14 0 0

Or, I guess my real question is:

 

Is the access token that I get from OAuth permanent or temporary? And, if it's temporary, how do I get a permanent one?

hassain
Shopify Staff (Retired)
624 104 188

@KOVIKO 

 

Yes, the OAuth token you get for a shop that installed your app is permanent. It only expires if the shop uninstalls your app, or if your app changes the access_scopes it requires

 

To learn more visit the Shopify Help Center or the Community Blog.