paulomarg
commented
2 weeks ago Hi, thanks for raising this. I think you're right, and we're not handling OPTIONS requests properly in that package - we should be just setting the CORS headers and responding in that case, instead of trying to authenticate it.
I'll add this to our tracking and we'll look into it!
Issue summary
According to the docs, I should be able to make authenticated api calls the extension (which runs in the frontend) to my app's backend (which runs on the same domain as app_url). The app uses the Express.js template
I have an admin action extension that makes the following API call:
The route is guarded by the validateAuthenticatedSession middleware and allowed the cors configurations as the docs requires.
@shopify/*package and version: @shopify/shopify-app-express version 5.0.3Expected behavior
The fetch request should pass the authentication.
Actual behavior
The request's preflight redirects to /api/auth (meaning it didn't authenticated currectly) which fails because of cors (but would fail regardless)
This is the preflight
This is the "real" request which fails because of cors (due to the preflight failing). As you can see, the header is there, but it can't pass the validateAuthenticatedSession middleware
If I disable the middleware everything works but the fetch call must be authenticated so I can't allow it.
I reached out to the partners support and they contacted the team who confirmed that they can see the middleware throwing a 403 but can't tell why. They suggested to rebuild the logic with an Admin action extension as I did and showed here but it didn't solve the issue.