embedded app session tokens authentication

Shopify Partner
29 0 1

Hello, I am trying to authenticate an embedded app with session tokens.

The backend is written in python with flask.

This is the frontend code with shopify app bridge:

        var AppBridge = window['app-bridge'];
        var utils = window['app-bridge-utils']
        var Redirect = AppBridge.actions.Redirect;

        const permissionUrl =
            "/oauth/authorize?client_id={{ api_key }}&scope={{ scopes }}&redirect_uri={{ redirect_uri }}";

        if (window.top == window.self) {
            window.location.assign("https://{{ shop }}/admin" + permissionUrl);

        } else {
            const app = AppBridge.createApp({
                apiKey: "{{ api_key }}",
                shopOrigin: "{{ shop }}"
            //try {
                const sessionToken = utils.getSessionToken(app);
                sessionToken.then((successMessage) => {
                    console.log("Yay! " + successMessage);
                    if (successMessage === undefined)
                        Redirect.create(app).dispatch(Redirect.Action.ADMIN_PATH, permissionUrl);
                    else {
                        //const fetch = utils.authenticatedFetch(app);
                        console.log("Fetch: " + "https://{{ shop }}/admin" + permissionUrl);
                        var xhttp = new XMLHttpRequest();
                        xhttp.open("POST", "https://{{ shop }}/admin" + permissionUrl, true);
                        xhttp.setRequestHeader("Authorization", 'Bearer ' + sessionToken);
                        xhttp.setRequestHeader('Access-Control-Allow-Headers', '*');

I don't know if the ajax request is fine.

With this code I get this error on the frontend:

access to XMLHttpRequest at 'https://myshop.myshopify.com/admin/oauth/authorize?client_id=mycode&scope=read_products&redirect_uri=https://myngrok.ngrok.io/auth/shopify/callback' from origin 'https://myngrok.ngrok.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.


After I've got the token what is the next step?


Replies 0 (0)