ShopifySharp icon indicating copy to clipboard operation
ShopifySharp copied to clipboard

Published 20 hours ago verified publisher icon nozzlegear

Embedded apps that rely on 3rd party cookies are prohibited from the Shopify App Store

Open thuongmhh opened this issue 3 years ago • 6 comments

Shopify has sent emails asking me to update my app to implement session tokens to replace cookies. https://shopify.dev/apps/auth/oauth/session-tokens

I'm using the code copied from The Shopify Development Handbook. Could you please guide me on how to make the update?

thuongmhh avatar Aug 18 '22 12:08 thuongmhh

I haven't had one of these emails yet, but I was aware that Shopify is encouraging embedded app developers to move over to Session Tokens. I'm working on implementing them in the book right now but that update isn't finished yet. I'll throw together a small sample project this weekend and see if I can get you some sample code for this!

nozzlegear avatar Aug 18 '22 23:08 nozzlegear

Hey Joshua,

Any chance you have this done? Thank you!

gopi-hl avatar Nov 04 '22 06:11 gopi-hl

Hi. My app is not being approved as session token is not implemented. I checked the documentation for ShopifySharp and don't see anything with respect to session token. Is it implemented in ShopifySharp. Pasting the message I receivded from Shopify below. Are there other also facing this?

Embedded apps that rely on 3rd party cookies are prohibited from the Shopify App Store. Implement session tokens to embed your app.

KaustavDhamah avatar Feb 21 '23 07:02 KaustavDhamah

Hi guys, I have the same problem. I've been trying to implement something with Blazor Wasm and appbridge but no good results at the moment. This is the message I got from Shopify: "Your embedded app must use session tokens and not rely on 3rd party cookies to function properly. Your embedded app must not use local storage. Your app must function in incognito mode in Chrome."

Any update on this would be really appreciated.

giovanni-garcia avatar Nov 01 '23 17:11 giovanni-garcia

Oh I'm sorry, I forgot about this completely. Working with session tokens is fairly easy, but just to break it down: session tokens are created entirely on the frontend using Shopify's App Bridge js library. You then use the session token you've created and send it along in the auth header when making requests to your app (assuming a single page app scenario).

The session token is just a simple jwt issued by Shopify using your app's secret key, and you can validate it using built in Microsoft identity stuff, or third party jwt packages like jose-jwt.

I'll make sure I get a small sample application added to the repository as soon as I have time.

cc @laurabee530

nozzlegear avatar Nov 01 '23 19:11 nozzlegear