It appears that this issue still persists and Shopify has put the permanent fix on backlog.
As a temporary workaround - I recommend 2 things:
-
Using AppBridge v1 until Shopify releases a fix for this issue. Instead of using the missing
hostparameter as the instantiating string for the AppBridge, instead you can useshopOrigin(aka *.myshopify.com) -
If for some reason you need to use AppBridge v2, unofficially the
hostparameter is just theshopOriginbase64 encoded. I haven’t verified this myself but I’ve heard from a number of other developers they’re using this as a workaround. However, if Shopify gets around to fixing thehostparameter and decides to actually make it more secure by encrypting with your App’s private key instead of encoding - well your authentication could break.
I would recommend v1 over using v2 until we have an official announcement and debrief over what went wrong with the v2 release. I was told back in April a fix was in the works but it’s regressed or was never fixed.