Hi everyone,
I am using a Shopify app proxy to fetch product details from the storefront via GraphQL. However, I get the following error when querying product data:
GraphqlQueryError: Access denied for product field. Required access: unauthenticated_read_product_listings access scope.
I would like to understand why the unauthenticated_read_product_listings access scope is required even though there is no authorization involved in the app proxy request. Does enabling this scope have any security implications?
Here is the relevant part of my API endpoint code:
import { json } from “@remix-run/node”;
import { authenticate } from “../shopify.server”;
import { cors } from “remix-utils/cors”;
export async function loader({ request }) {
const url = new URL(request.url);
const idsParam = url.searchParams.get(“ids”);
const ids = idsParam?.split(“,”).map((id) => id.trim()) ?? ;
const { storefront } = await authenticate.public.appProxy(request);
const response = await storefront.graphql(
query ($ids: [ID!]!) { nodes(ids: $ids) { __typename ... on ProductVariant { id title price { amount currencyCode } image { url } selectedOptions { name value } product { id title handle onlineStoreUrl tags } } ... on Product { id title handle onlineStoreUrl priceRange { minVariantPrice { amount currencyCode } } featuredImage { url } } } },
{ variables: { ids } }
);
const data = await response.json();
// Filter only ProductVariant nodes
const wishlistedData = data.data.nodes.filter((node) => node.__typename === “ProductVariant”);
return cors(request, json({ wishlistedData }));
}
My questions are:
-
Why is the unauthenticated_read_product_listings access scope necessary for this GraphQL query through the app proxy?
-
Does enabling this scope pose any security risks since there is no user authorization involved?
-
How can I securely fetch product data through the storefront API using an app proxy?