Hello, I am developing a embeded app with Admin UI extension.
I configured the application url to my backend server with a ngrok domain (https://xxxx.ngrok-free.app).
I followed the doc to make fetch calls to my backend api on the same ngrok domain. I both tried full url and relative path to the target api.
const headers = new Headers({ “ngrok-skip-browser-warning”: “69420” });
It was quite strange that I could not see any request sent out the the target on chrome devtool.
But when I modified the domain name to a different one with the configuration’s, I could see the request was sent out with a CORS error on chrome devtool.
Is there anyone who can help me solve this problem?
Use the following code I can see the request was sent out with a CORS error on chrome devtool.
const headers = new Headers({ “ngrok-skip-browser-warning”: “69420” });
CORS is a security feature to prevent cross origin requests, meaning the JavaScript on the domain (in this case *.shopify.com since it’s coming from an Admin Extension) doesn’t match your own API’s domain.
You’ll need to configure your server’s application code to accept requests from *.shopify.com in order to allow browser side API requests from the Shopify domain.
This is a security feature built into browsers. You’ll see an OPTIONS request that’s failing in the browser’s network tab. That’s the CORS request checking to see if your API accepts CORS requests from the current domain.
There’s middleware packages for pretty much every framework out there that help you configure CORS. Could you share more about your API’s stack? Is it Node.js? Ruby on Rails?
But I can not see any request sent out to the target in chrome devtool. (for both using full path or relative path)
I changed to another domain is for trouble shooting to verify if the fetch works in the extension.
So my current situation is that the fetch calls to the api in the same domain with application url can not be sent out, however, the calls to a different domain can be sent out with CORS error. But I would like to use the same domain to my app backend as the docs says.
I use the default setting to create the App and Extension,
Here are the steps:
Yes, Shopify’s fetch modifications will allow you to send the auth token with the request automatically, it will even include the host name for you for relative pathing.
But it does not and cannot handle CORS configuration for you.
CORS configuration != Authentication with session tokens.
Potentially you have a filter on the Network tab in your browser’s Network dev tools that’s only including GET/POST requests. This request is an OPTIONS request that is failing.
Feel free to share your backend framework & language for specific middleware examples on how to configure CORS. It’s a minor fix but yes, it’ll block you from making requests without proper set up.
I used java springboot + vue, running on tomcat and nodejs. I have a proxy setting for path /backendApi and set changeOrigin as true, just like the following.
‘/backendApi’: {
target: ‘http://localhost:8443’,
changeOrigin: true,
xfwd: true,
}
I also used a filter in java side which allows CORS.
corsConfiguration.addAllowedOrigin(““);
corsConfiguration.addAllowedHeader(””);
corsConfiguration.addAllowedMethod(“*”);
And I also used ngrok to expose my backend service could be accessed from the internet.
Thanks for clarify that the OPTIONS request is excluded by the dev tools.
But it is really strange that if I configure the application url to a different one (no matter what it is, just a fake url),
I can make the call correctly to my backend service with the following code.
Perhaps Ngrok is modifying CORS on your behalf, and when you use your production version the application isn’t setting the correct CORS headers?
You can double check by viewing only OPTIONS requests in your dev tools and see the response from your server. If OPTIONS request fails and the CORS policy is rejecting the *.shopify.com domain, then most likely the configuration of your backend service is the problem.
I suspect your proxy is most likely the issue. The proxy might be modifying the CORS headers after the Java application is setting them.
I think it seems like something is wrong with the configuration for the remix template.
As the doc says, when making fetch() requests to the app’s configured auth domain (app_url), it will add shopify ID token automatically. Therefore, there should be an interceptor to deal with this, including resolving the relative URLs and adding ID token.
If I am not using the domain in the app_url, it will bypass this part, then the fetch requests can be sent out. (I can see both OPTIONS and POST request in the backend)
If I use the domain in the app_url or relative path, the interceptor will start to work, but fails (maybe due to my configuration), then it stops to send the request out.
However, the doc is pretty simple, I am not sure if there is something I missed.
I suspect the remix template also fails to get ID token when it finds the api target is in the same domain with the app url and trys to add ID token headers.
@Allan_Zhang We’re encountering the same CORS issue and have been troubleshooting it for two days without success. We’ve followed the documentation meticulously, tested various CORS headers, but nothing seems to work.
Which language did you use to rebuild your extension? Was it JavaScript (React/Vanilla) or TypeScript (React/Vanilla)?
