So after following several Shopify's tutorials and docs, I'm trying to migrate my Shopify's embedded app from the cookie sessions to JWT using AppBridge 2.
I'm using AppBridge to setup:
import { getSessionToken } from "@shopify/app-bridge-utils";
window.app = createApp({
apiKey: data.apiKey,
host: data.host,
forceRedirect: true
});
on my FrontEnd JS code, which results in the sessionToken attached to the window:
window.sessionToken = await getSessionToken(app);
until here all works fine, I can load my app in the iframe and we live in a happy world.
However, my Rails controllers (called through Ajax) are sending a 401 Unauthorized message, so apparently, I'm authenticated on the FrontEnd but my silly RoR controllers are not aware of that.
Such controllers (as Shopify's documentation indicate) inherit from the authenticated_controller.rb file:
class AuthenticatedController < ApplicationController
include ShopifyApp::EnsureAuthenticatedLinks # only JWT
include ShopifyApp::Authenticated
end
I see the class ShopifyApp::Authenticate (from the shopify_app gem) uses the library:
/lib/shopify_app/controller_concerns/login_protection.rb#L100
with the method:
def jwt_shopify_domain
request.env['jwt.shopify_domain']
end
so, the JavaScript code in the front-end:
window.sessionToken = await getSessionToken(app)
sets the value for 'jwt.shopify_domain' to be taken (read) for the backend code? or from where the value for 'jwt.shopify_domain' comes from?
Also I noticed that the route:
auth_shopify_callback GET /auth/shopify/callback(.:format) shopify_app/callback#callback
still exists, how this route is related to AppBridge? Previously I used that route to setup manually the cookie session, should I still use it?
In summary: how the rails code on the backend "knows" that AppBridge got a valid sessionToken in the FrontEnd?