Admin extensions preflight authentication #1420
Labels
good first issue
Good for newcomers
Comments
|
Hi, thanks for raising this. I think you're right, and we're not handling I'll add this to our tracking and we'll look into it! |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue summary
According to the docs, I should be able to make authenticated api calls the extension (which runs in the frontend) to my app's backend (which runs on the same domain as app_url).
The app uses the Express.js template
I have an admin action extension that makes the following API call:
The route is guarded by the validateAuthenticatedSession middleware and allowed the cors configurations as the docs requires.
@shopify/*package and version: @shopify/shopify-app-express version 5.0.3Expected behavior
The fetch request should pass the authentication.
Actual behavior
The request's preflight redirects to /api/auth (meaning it didn't authenticated currectly) which fails because of cors (but would fail regardless)
This is the preflight
This is the "real" request which fails because of cors (due to the preflight failing). As you can see, the header is there, but it can't pass the validateAuthenticatedSession middleware
If I disable the middleware everything works but the fetch call must be authenticated so I can't allow it.
I reached out to the partners support and they contacted the team who confirmed that they can see the middleware throwing a 403 but can't tell why. They suggested to rebuild the logic with an Admin action extension as I did and showed here but it didn't solve the issue.
The text was updated successfully, but these errors were encountered: