403 Forbidden SSL required from standard config in express library docs

[eatoncw]

Issue summary

Before opening this issue, I have:

• [ x] Upgraded to the latest version of the package
  • @shopify/shopify-app-* package and version:
  • Node version:
  • Operating system:
• [ x] Set { logger: { level: LogSeverity.Debug } } in my configuration, when applicable
• [ x] Found a reliable way to reproduce the problem that indicates it's a problem with the package
• [ x] Looked for similar issues in this repository
• [ x] Checked that this isn't an issue with a Shopify API
  • If it is, please create a post in the Shopify community forums or report it to Shopify Partner Support

@shopify/shopify-app-express Documentation contains a configuration that causes a REST resources error of 403 Forbidden SSL required.

I spent some time debugging this after I updated shopify-app-js and packages across my app.

The page in question: https://github.com/Shopify/shopify-app-js/blob/main/packages/shopify-app-express/docs/reference/shopifyApp.md

The config in question:

const shopify = shopifyApp({
  api: {
    apiKey: 'ApiKeyFromPartnersDashboard',
    apiSecretKey: 'ApiSecretKeyFromPartnersDashboard',
    scopes: ['your_scopes'],
    hostScheme: 'http',
    hostName: `localhost:${PORT}`,
    billing: {
      'My plan': {
        amount: 10,
        currencyCode: 'USD',
        interval: BillingInterval.Every30Days,
      },
    },
  },
  auth: {
    path: '/auth',
    callbackPath: '/auth/callback',
  },
  webhooks: {
    path: '/webhooks',
  },
});

// The paths to these routes must match the configured values above
app.get(shopify.config.auth.path, shopify.auth.begin());
app.get(
  shopify.config.auth.callbackPath,
  shopify.auth.callback(),
  shopify.redirectToShopifyOrAppRoot(),
);
app.post(
  shopify.config.webhooks.path,
  shopify.processWebhooks({webhookHandlers}),
);

Changing the host scheme to 'https' fixed this problem. Maybe put something in the docs about this or update the sample config on this page.

Expected behavior

What do you think should happen?

Actual behavior

What actually happens?

Steps to reproduce the problem

1. 1. 1.

Debug logs

// Paste any relevant logs here

[lizkenyon]

Thanks for flagging! We will get those docs updated!

[github-actions[bot]]

We're labeling this issue as stale because there hasn't been any activity on it for 60 days. While the issue will stay open and we hope to resolve it, this helps us prioritize community requests.

You can add a comment to remove the label if it's still relevant, and we can re-evaluate it.

[andershagbard]

@lizkenyon This still seems to happen. Why would the API ever send requests the http version of the API?

For context, I use an external service, which boots up in the same repo, and runs some code. It doesn't necessarily get the same .env variables. If "appUrl" is set to a http path, it will fail.