Does shopify have a method of authenticating requests to my postgresql db. I was given code to a shopify embedded app done using ruby on rails (backend) and react.js with Polaris (front end) and I see that the front end makes requests to the backend without any headers or authorization.
Example:
axios.get('/api/main/vendor’)
.then(response=> {
console.log(response)
})
.catch(error=> {
console.log(error)
});
This seems to work and print outs the response from the backend.
However, when I run the server and make the GET request through Postman, passing in this URL:
https://<NGROK_URL>/api/main/vendor
I can see in my terminal that I get status 302 (redirected to login).
Processing by Api::MainController#vendor as JSON
Redirected to https://<NGROK_URL>/login
Completed 302 Found in 19ms (ActiveRecord: 0.0ms)
I’m wondering if there’s some sort of authentication that shopify does when developing an embedded app that I’m unaware of. For example does it implicitly pass in some token? If so, where can i find this. Sorry for this question if it sounds newby, I’m pretty new to shopify dev.
Shopify usually passes a hmac
argument that needs to be validated in the backend.
This hmac includes mostly static information like your store name, timestamp, language etc... but the important part is that is salted with the APP password.
You can read more about this here: https://help.shopify.com/en/api/getting-started/authentication/oauth#verification
This means that you can't make requests outside of Shopify.
and just to double check this isn't when I download shopify info using the shopify API? I'm referring to after I've downloaded this data and stored it in postgresql
@jim if you are trying to access the DB from the front-end to a Shopify app proxy page, it will pass these arguments. If you are trying to request the database inside the embed app ( the react front-end ), all request there have nothing to do with Shopify. So to sum it up if you make a request to a proxy page via Shopify the arguments will be present, if you make a request inside your app no arguments will be passed.