Questions and discussions about using the Shopify CLI and Shopify-built libraries.
Hi,
We do have an embedded application and we do use our own JWT tokens & along with 0Auth authentication.
We do actually verify a request by processing it through HMAC-SHA256 hash function & afterwands we fetch a JWT token & authorize further requests by our application.
The question is following:
- Are session tokens provided by shopify bridge required to pass an audit?
- Is even a shopify bridge needed to pass an audit for embedded application?
Hi There, if you are embedding the app you MUST use shopify app-bridge to generate the jwt session token.
https://shopify.dev/apps/auth/oauth/session-tokens
You first authenticate via oauth then once authenticated you use app-bridge to request a jwt session token, this session token you put in the header to your backend and use it to authenticate the requests from your front end. You will need to use polling to continuously get new session tokens since they expire relatively quickly.
The answer to your two questions as far as I am aware are yes and yes 😉
Hope that helps
Gary
But what if my app uses sessions token provided by my own backend? It does not use cookies or local storage, like required, just uses own JWT tokens to authorize requests.
Hi,
I am not 100% certain, but as long as you are not using 3rd party cookies to store session information then I think Shopify doesn't care what exact method you use as long as its using some sort of session token. If you have a server-side rendered app and want to embed it then the app-bridge in conjunction with turbo-links is going to be the path of least resistance.
If you are using React then honestly I also see no reason not to use all the tools that Shopify provides to make your life easier 🙂 after all the getSessionToken method gets a short lived JWT token.
Give it a try and see what they say.
Cheers