search

Shopify / shopify-app-template-node

MIT License
883 stars 399 forks source link

Forbidden access to customer data in development #1190

Closed mdj-uk closed 1 year ago

mdj-uk commented 1 year ago

Issue summary

Trying to obtain a list of orders via the rest admin api from the starter app (CLI 3), I get an error saying that 'this app is not approved to access REST endpoints with protected customer data'.

I'm confused because according to the documentation I should be allowed to do this in development without the app being reviewed. And I can't reasonably ask for a review when I've only written a handful of lines of code.

The app is connected to a development store and is being run in dev mode (npm run dev).

Expected behavior

App should receive response with order data if run on a development store.

Actual behavior

2022-12-07 12:12:20 | backend  | HttpResponseError: Received an error response (403 Forbidden) from Shopify:
2022-12-07 12:12:20 | backend  | "[API] This app is not approved to access REST endpoints with protected customer data. See 
                                 https://partners.shopify.com/1956948/apps/6476815/customer_data for more details."
2022-12-07 12:12:20 | backend  | If you report this error, please include this id: 01142bc8-868b-470e-898a-0e92fb74f39e

Clicking the link I see this

image

Steps to reproduce the problem

  1. Set up new starter app as per the instructions https://github.com/Shopify/shopify-app-template-node/tree/cli_three
  2. Access rest admin api from backend by adding this to web/index.js : 
     app.get("/api/orders", async (_req, res) => {
  const ordersData = await shopify.api.rest.Order.all({
    session: res.locals.shopify.session,
    status: "any",
  });
  res.status(200).send(ordersData);
});
  3. Connect frontend to backend by adding this to web/frontend/pages/pagename.jsx 
    const {
  data,
  refetch: refetchOrders,
  isLoading: isLoadingCount,
  isRefetching: isRefetchingCount,
} = useAppQuery({
  url: "/api/orders",
  reactQueryOptions: {
    onSuccess: () => {
      setIsLoading(false);
    },
  },
});
  4. Run on dev store with npm run dev and navigate to pagename route

Reduced test case

Can provide if necessary.

Specifications

paulomarg commented 1 year ago

Hi, thanks for reporting this!

As you pointed out, the API won't return protected customer information initially, so you'll need to request access to that data, as per the docs.

While in development, you still need to configure your app to receive the data, but it won't require any approvals from Shopify. You can do that by following the link in the log message, and that should unblock your calls!

Since this is working as intended, I'll close the issue, but please reopen it or report a new one if you're still having problems.

mdj-uk commented 1 year ago

Ah, my apologies, I must have misread that page on the partner dashboard - I didn't realise there was a distinction between filling out the form to request access to those fields, and submitting for review.

Thanks for the response.

punitOjha1729 commented 9 months ago

i try to save the details in the access form in Step 1
but it throws GraphQL error invalid input

my access scopes include :

write_products read_assigned_fulfillment_orders write_assigned_fulfillment_orders read_customers read_fulfillments write_fulfillments read_locations read_merchant_managed_fulfillment_orders write_merchant_managed_fulfillment_orders read_orders write_orders read_shipping write_shipping read_third_party_fulfillment_orders write_third_party_fulfillment_orders unauthenticated_read_customers

It makes no sense why they wont automatically allow access for development stores