FROM CACHE - en_header

Embedded App - how to decode and use the session token?

ddaine
Excursionist
14 0 3
‎03-24-2021 05:25 AM

Embedded App - how to decode and use the session token?

I would like to verify the user who wants to access the admin panel of my Shopify app after the app is already installed in the shop. Shopify delivers a session token as a parameter, if the user wants to access the admin panel. As far as my understanding goes, the session token is exactly for that, to verify the shop and if the user is authenticated at the Shopify site.

 

What do I do with it? In the manual it is referenced as a JWT token but it does not have the structure header.payload.signature. So I don't really know what to do with it. I don't want to use any foreign library.

Labels:
1,963 Views
0 Likes
Report
Replies 5 (5)
ddaine
Excursionist
14 0 3
‎04-01-2021 08:11 AM

Re: Embedded App - how to decode and use the session token?

I would like to refresh this thread to increase the chance that somebody will see it.

1,923 Views
Report
akcps
New Member
1 0 0
‎05-30-2021 12:00 PM

Re: Embedded App - how to decode and use the session token?

I have the same issue.

I can see some documentation around it. https://shopify.dev/tutorials/authenticate-your-app-using-session-tokens#verify-the-signature

But it is difficult to comprehend it. 

 

Can someone help?

1,807 Views
0 Likes
Report
ddaine
Excursionist
14 0 3
‎06-03-2021 11:43 AM

Re: Embedded App - how to decode and use the session token?

How does your application architecture look like? Do you work with a backend?

1,769 Views
0 Likes
Report
Cartbear
Tourist
9 0 3
‎06-03-2021 03:03 PM

Re: Embedded App - how to decode and use the session token?

Hi ddaine,

a bit more context about your embedded app would be useful.

I use t the getSessionToken function from the app-bridge-utils to obtain session tokens. To validate the token I send it to the backend.

You could decode the jwt token on the client-side using libraries like jwt-decode. If you don't want to use a 3rd party library as you mentioned, you could check the code to learn how jwt tokens are encoded.

To make sure the jwt token was issued by Shopify the signature needs to be verified. This is really important for security reasons. Since your app's secret key was used to sign the token you should validate it in your backend. Otherwise, you would have to expose the secret to the client to perform the validation. That would cause more security issues.

Another idea would be to use the token and call an endpoint of the Shopify Admin API directly (if you don't have a backend). E.g. get the shop configuration. If the call returns a successful response you can be sure that the user has access to your shop.


Just some thoughts. Hope it helps.

 

 

 

 

 

MRG @ Cartbear
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
1,752 Views
0 Likes
Report
ddaine
Excursionist
14 0 3
‎06-03-2021 04:21 PM

Re: Embedded App - how to decode and use the session token?

Hello and thanks for your reply, Cartbear. My intentions was to reply to akcps, b/c I was able to solve the problem with a little bit of headache.
1,742 Views
0 Likes
Report

Community Blog Articles

E23_social share_1200x6751.jpg
Shopify Community AMA: Winter Editions ‘23 Recap

Thanks to all Community members that participated in our inaugural 2 week AMA on the new E...

By Jacqui Mar 10, 2023
shopify-academy-foundations-certification-16-9-v1-size.png
Introducing Shopify Certifications

Upskill and stand out with the new Shopify Foundations Certification program

By SarahF_Shopify Mar 6, 2023
notebook-and-coffee.jpg
Adding and Creating Store Policies

One of the key components to running a successful online business is having clear and co...

By Ollie Mar 6, 2023
Terms of Service Privacy Policy