Shopify App Template (CLI 3) with provided billing api workshop is unsecure?

Shopify Partner
2 0 0

Hi Devs!

I just migrated my Shopify App from CLI version 2, to CLI version 3. I had to refactor a few things but got it running in the end. As I was researching how to implement billing for my app in this new app template, I found this the most helpful and straight forward resource:

So I implemented it. Everything works. If you do a fresh install of the app you get redirected to the billing confirmation url. The problem I am noticing is, whenever I just reopen the app on the left admin panel after installing it, without confirming the app subscription on the confirmation url, I can just use the app without even having to pay. I think the problem here is, that the workshop suggest to run the billing middleware after a new valid session already got created (because billing api needs a session). This makes it, so the billing middleware ('/api/auth/callback') wont get called again, because the session is already a valid one with or without a valid subscription.

I am not sure if i did something wrong or if its just a mistake on Shopify's site, but I am certain that I cant publish the app like this. 

Anyone got any tipps or experience he would like to share?

Replies 5 (5)

Shopify Partner
41 1 8

It seems like you've migrated your Shopify App from CLI version 2 to CLI version 3 and made some refactoring. However, your question isn't fully visible, so I'm unable to provide a specific solution. If you're encountering issues with the Billing API or any other parts of the app, could you please provide more details? As a general guidance, make sure that you have updated your code to use the new methods and properties that are available in CLI version 3. Also, refer to the official Shopify CLI documentation for any changes that might be affecting your app.

Dan from Vevol Media - Shopify Partners Since 2018
• Was my reply helpful? Click Like to let me know!
• Was your question answered? Mark it as an Accepted Solution

Shopify Partner
2 0 0

Thanks for answering first of all.

I did not change any backend specific things when migrating. I just installed the new @Shopify/app@latest app template and then migrated my frontend in the new web/frontend folder. 

As said, everything works fine. My only problem is, that the implementation of the shopify billing api according to the workshop with the link i posted above, is insecure. At least for me. 
I am able to skip the billing process and get access to my shopify app, without needing to pay.

Shopify Partner
18 4 8

If I understood your context properly, I believe it is normal that you can still access the application even though you don't validate a payment.
The workshop is about a "Usage Billing with the Shopify Billing API" which means that the subscription is here to limit the usage of a specific feature in your app, not to limit the access of the application.


Does it make sense?


To be able to

Shopify Partner
6 0 3

How will be the proper way to make a limited access to the application? I'm thinking about creating a middleware as 

app.use("/api/*", shopify.validateAuthenticatedSession())
but with the code that checks the billing.
Do you know a better way?
Shopify Partner
18 4 8

That's how it should be done.


Please, be aware that you need to change the billing interval as well.

The workshop is using the interval BillingInterval.Usage

// web/billing.js
import { BillingInterval } from "@shopify/shopify-api";

export const billingConfig = {
  "My plan": {
    amount: 5.0,
    currencyCode: "USD",
    interval: BillingInterval.Usage,
    usageTerms: "One dollar per button click",


According to the behavior you describe you should probably change it to BillingInterval.Every30Days

Have a look at this shopifyApp example with monthly billing for the subscription