App Authentication After Installation

Solved
ddaine
Excursionist
13 0 4

I already made a post here https://community.shopify.com/c/Shopify-Discussion/Embedded-App-how-to-decode-and-use-the-session-to....

Because I didn't get an answer yet, I want to mention my post also here because I see more activity in here.

How can I verify the request coming from Shopify Admin to my App after the installation of the public app is done?

Thank you a lot for reading.

ddaine
Excursionist
13 0 4

Thank you a lot for your answer. I read it but I don't know what to do exactly, do I have to compare the session token from the app bridge and the token from the request?

If not, why does Shopify Admin Panel delivers that parameter ("session") in the first place? Is it for the app bridge itself to receive an actual JWT token?

0 Likes
policenauts
Trailblazer
187 9 49

This is an accepted solution.

I don't know what session is in the Shopify Admin Panel. What I do is I get the session token using AppBridgeUtils (per the link I sent to you). Then I send the session token over to my Node.js server and then authenticate it using this npm library: https://www.npmjs.com/package/shopify-jwt-auth-verify. If it passes, then I let them into my app. 

wiretrackio
Excursionist
17 0 2

I have the same doubt. I tested in a few stores and it seems that the redirect integer in the URL changes depending on the store you are in.

It would be easy the redirect was always the same, like: https://{shopstore}.myshopify.com/admin/apps/{custom_shop_int_code}/app so it would be possible to only accept requests coming from that specific source.

Did you end up solving this issue? Didn't want to have to an extra login system since Shopify already does that.

0 Likes
ddaine
Excursionist
13 0 4

I would not do that because it is unsafe. You can't use cookies either, since you are operating in a frame. That's why it works with session tokens, which you can get with the Shopify AppBridge in your JavaScript source code and then let a server of yours verify it. In the Shopify documentation you'll find out how to verify such a JWT token.

0 Likes
wiretrackio
Excursionist
17 0 2

From what I understood this is for embedded apps only. Wonder how to do this for standalone apps.

0 Likes