Re: Shopify App Bridge Requirement

Shopify App Bridge Requirement

redrunek
Visitor
1 0 0

Hi,

We do have an embedded application and we do use our own JWT tokens & along with 0Auth authentication.

We do actually verify a request by processing it through HMAC-SHA256 hash function & afterwands we fetch a JWT token & authorize further requests by our application.

redrunek_0-1645394907813.png

The question is following:
- Are session tokens provided by shopify bridge required to pass an audit?

- Is even a shopify bridge needed to pass an audit for embedded application?

 

Replies 3 (3)

garyrgilbert
Shopify Partner
428 41 180

 

Hi There, if you are embedding the app you MUST use shopify app-bridge to generate the jwt session token.

https://shopify.dev/apps/auth/oauth/session-tokens

 

You first authenticate via oauth then once authenticated you use app-bridge to request a jwt session token, this session token you put in the header to your backend and use it to authenticate the requests from your front end. You will need to use polling to continuously get new session tokens since they expire relatively quickly.

 

The answer to your two questions as far as I am aware are  yes and yes 😉

 

Hope that helps

 

Gary

- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
NaotoNomura
Visitor
1 0 0

But what if my app uses sessions token provided by my own backend? It does not use cookies or local storage, like required, just uses own JWT tokens to authorize requests.

garyrgilbert
Shopify Partner
428 41 180

Hi,

 

I am not 100% certain, but as long as you are not using 3rd party cookies to store session information then I think Shopify doesn't care what exact method you use as long as its using some sort of session token. If you have a server-side rendered app and want to embed it then the app-bridge in conjunction with turbo-links is going to be the path of least resistance.

 

If you are using React then honestly I also see no reason not to use all the tools that Shopify provides to make your life easier 🙂  after all the getSessionToken method gets a short lived JWT token.

 

Give it a try and see what they say.

 

Cheers

- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution