I posted a message the other day that didn't get any responses but I thought I would clarify my issue here.
I want to describe the way I am currently doing my Auth flows as I'm not fully confident if I'm doing things right. I'm using Create React App (CRA) to build my application so its CSR not SSR.
Post Install Flow
This is when a user goes to their shop admin and navigates to my embedded app through the admin apps menu.
So I'm looking for some people to confirm if this is an acceptable way of authorising my embedded app?
It seems quite complex actually and I guess it would be much easier to create a SSR app with something like next.
Some concerns that I have are as follows:
I've read about Session tokens and Authorising embedded apps here https://shopify.dev/apps/auth/session-tokens/authenticate-an-embedded-app-using-session-tokens Given the fact I'm using a permanent access_token I'm assuming I don't need to use session tokens correct?
Once a user is logged in to cognito I no longer verify each page load request, given that I would need to call my verifyLogin api each time. Should I actually be verifying each page load request?