Include session-token in app-proxy & webhook headers

[jonathanstanley]

Overview/summary

Currently shopify sends session-token as part of the authorization header, or in the query search parameters: https://github.com/Shopify/shopify-app-js/blob/037e5d800fa04f56df704937f259cecbf6ae3760/packages/apps/shopify-api/docs/reference/auth/tokenExchange.md?plain=1#L28-L39

Those are used to obtain a valid session (ex: to perform shopify gql queries) via token-exchange. However, app proxy and webhooks do not provide a session-token to perform any Shopify queries. Instead, the keys are stored on outside databases: https://github.com/Shopify/shopify-app-js/blob/0c5501b9f8163272a84761e95cba76bf8af1807c/packages/apps/shopify-app-remix/src/server/authenticate/public/appProxy/authenticate.ts#L35

Also, app proxies have a contrived validation scheme (which itself caused other issues). It introduces a number of additional complications.

• An additional attack surface via breach of access tokens / security weakened
• An entirely different authorization model (instead of token exchange as done elsewhere)
• Requires a database (and setup, and maintenance, and costs)
• Shopify maintaining a number of extra db wrappers

Enhancement

This would be much easier if app-proxy and webhooks included a session-token that could be exchanged for an access-token. Or even better would be JWT / JWE. which would avoid the extra network calls altogether.

Additionally: Pick a header name that can be used consistently (ex: request.headers.shopify-session-token). This would be better than sometimes the authorization header, sometimes a query parameter, and sometimes a separate header.

[byrichardpowell]

Hey Jonathan 👋

Thanks so much for your detailed issue. I really appreciate that you highlighted not a fix, but also the 2nd order effects and opportunities.

I agree there is an opportunity here. We are going to add this to our backlog and I'll be pushing for a change.