All embedded apps submitted for app review required to adopt session tokens

[hankmander]

This notification showed up in the Shopify Partner Dashboard a couple of days back. I love this project and I'm already building my next app using it as boilerplate but wonder if this new policy will be an issue? As far as I can see cookies are being used in at least one place.

[bluebeel]

It'll be a issue, they are deprecating the old cookie session method.
I'll update the repo in the coming weeks with the new update, if I don't receive by then a pr from a person ^^'

Most of the changement will be done in this repo: https://github.com/bluebeel/nextjs-shopify-auth

[hankmander]

That's great to hear! I'm unsure if I'll have time to look into it before you. I will notify you if I do however!

[Gbuomprisco]

Hi guys, are you currently working on it? I may also help if needed :)

[domsteil]

Also available to help on as well.

I am reading through https://shopify.dev/tutorials/authenticate-your-app-using-session-tokens and also https://shopify.dev/tutorials/get-session-tokens-using-app-bridge-utilities

[bluebeel]

Hello,
First of all, thank you for the enthusiasm you have.

As a first track I was thinking of starting again from the example offered by Shopify with Koa and "reverse engineer" the lib like the first time.
It has been updated and contains the new token authentication and the lib uses the new shopify node api.

After the question would be to know if we are still obliged to use SSR app or with the new mode of authentication, we could move towards full static app.

BTW there is an open discussion for an official example for nextjs with the new token Shopify/shopify-app-bridge#13

Otherwise @ctrlaltdylan did a great job creating a boilerplate example. You can start from this one.

[Gbuomprisco]

Thanks for the reply!

I gave it a go - it' been quite frustrating - especially as using ngrok takes 5 minute to see a change 😅

I took some inspiration from both this and the boilerplate above - the issue with that is that it's a basic implementation (for example, the nonce is not checked), but it's definitely a start

[bluebeel]

Thanks for the reply!

I gave it a go - it' been quite frustrating - especially as using ngrok takes 5 minute to see a change 😅

I took some inspiration from both this and the boilerplate above - the issue with that is that it's a basic implementation (for example, the nonce is not checked), but it's definitely a start

You can make a pr so we can see your work and maybe help you?

[ctrlaltdylan]

Thanks for the mention @bluebeel, right it's just a basic prototype. But nonce checking & tests are upcoming. I've been using the package in some form since October on a few production apps. Others as well.

In a perfect world, Shopify would release another version of their official tutorial & auth repos for Next without Koa.js. I've been talking with them on and off about making that switch. It's possible they might do something in the coming months, but not optimistic it will be anytime soon.

[chrisjoshuamartin]

Is this still an issue? Looking at this boilerplate as a starting point. Thanks!

[samuelmaker]

Would also love to know if this has been resolved