shopify-api-js icon indicating copy to clipboard operation
shopify-api-js copied to clipboard

Published 20 hours ago verified publisher icon Shopify

GraphQL Proxy doesn't offer an option to use offline access token

Open gyotov opened this issue 3 years ago • 2 comments

Issue overview

I was previously working with the shopify-node-api library and I was struggling to use graphqlProxy utility function with offline access token(loadOfflineSession).

Suggestion

I suggest, to update the graphqlProxy utility function to use either loadCurrentSession or loadOfflineSession to get the session:

const session = await loadCurrentSession(req, res)
await Shopify.Utils.graphqlProxy(session)

or

const session = await loadOfflineSession(shop)
await Shopify.Utils.graphqlProxy(session)

gyotov avatar Jun 01 '22 07:06 gyotov

You can create an offline client.

const session = await Shopify.Utils.loadCurrentSession(req, res, true/false); //true for online, false for offline.
const client = new Shopify.Clients.Graphql(session.shop, session.accessToken);

If you took a look at auto fill you'll see there's an optional bool value at the end to use said tokens.

export default function loadCurrentSession(request: http.IncomingMessage, response: http.ServerResponse, isOnline?: boolean): Promise<Session | undefined>;

kinngh avatar Jun 03 '22 10:06 kinngh

@paulomarg - is there a reason why only online sessions are acceptable in this function? Happy to do a quick PR for this otherwise.

bkspace avatar Jun 21 '22 12:06 bkspace

@kinngh

const session = await Shopify.Utils.loadCurrentSession(req, res, true/false); //true for online, false for offline.
const client = new Shopify.Clients.Graphql(session.shop, session.accessToken);

const session = Shopify.Utils.loadCurrentSession(req, res, false); //true for online, false for offline. ^

ReferenceError: req is not defined

still i am not able to access the session . here is my main issue https://github.com/Shopify/shopify-api-node/issues/493

Sky-bits avatar Sep 14 '22 13:09 Sky-bits

Online tokens adopt user-based access permission scopes, which are used to determine if the proxied GraphQL request should be completed or not. Offline access tokens adopt the scopes of the app backend and thus, depending on those scopes, could expose stores using the app to detrimental GQL queries if allowed via the proxy.

Hence, use of offline access tokens is not allowed for the GraphQL proxy.

mkevinosullivan avatar Sep 20 '22 20:09 mkevinosullivan