Access denied in Admin API GraphQL App

davidmedero
Shopify Partner
5 0 3

I created a custom store with next/react js using the storefront API and now I want to fetch order history when a customer logs in to their account. According to the docs, I can fetch orders using the Admin API, but not with the storefront API. Even though I enabled ALL access scopes, I get Access denied when I query for orders, customers, products, etc. It only works when I query for my shop details like my shop's name, email, etc. I uninstalled and reinstalled the app after configuring the access scopes. Am I missing something? 

By the way, even if it were possible to fetch orders with the storefront API, my customers would be forced to log in with an email AND password to generate a customer access token which is what I'm trying to avoid. I'm using next auth, so customers only need to provide an email or can sign in with Google or a different provider. 

Replies 3 (3)
davidmedero
Shopify Partner
5 0 3

I just realized, are these features I want implemented available to Shopify Plus members only? 

c10s
Shopify Partner
67 12 16

Are you trying to run this on the client or server? If I remember correctly the GraphQL Admin API can fail client side for sensitive queries. You should never be running the Admin API on the client since anybody with a bit of knowledge can grab data they shouldn't have access to.

 

If you're using Next.js and currently trying to fetch via the client, either do the fetching from an API route or getStaticProps/getServerSideProps.

 

 

By the way, even if it were possible to fetch orders with the storefront API, my customers would be forced to log in with an email AND password to generate a customer access token which is what I'm trying to avoid. I'm using next auth, so customers only need to provide an email or can sign in with Google or a different provider. 

Yeah, you can get around this with Multipass (ie. use a third party to authenticate with Shopify but it's Plus only)

davidmedero
Shopify Partner
5 0 3

Thanks for the great advice C10s! Turns out I had to reinstall the GraphQL app, not the custom app. And I found out how to query orders with only the customer's email:

query {
customers(first:1, query:"email:'admin9@admin9.com") {
  edges {
    node {
     orders(first: 20) {
       edges {
         node {
                  id
                  createdAt
                  subtotalLineItemsQuantity
                      subtotalPriceSet {
                         shopMoney {
                            amount
}
}
                             displayFulfillmentStatus
                                shippingAddress {
                                   address1
}
                                  billingAddress {
                                  address1

}
                                   lineItems(first: 20) {
                                      edges {
                                          node {
                                            variantTitle
                                                quantity
                                                    originalUnitPriceSet {
                                                       shopMoney {
                                                          amount
}
}
}
}
}
}
}
}
}
}
}
}