We have a customer-account.order-status.block.render extension that sends requests to our admin app. We would like to be able to determine if these requests come from an extension viewed by the customer or an admin user.
This is possible if the customer is logged in and we can just check the sessionToken sub, but if the user is in a pre_authenticated state this no longer works because both the customer, and the admin user can arrive at the order-status page in a pre_authenticated state. I’ve looked into the available API but was unable to find anything.
Does anyone know a way to accomplish this, or would we just need to use the requireLogin API to force login so that we know who’s viewing the extension?
Hey,
you are correct that the customer id is not exposed in the pre_authenticated state and this is on purpose. There is no other way to obtain it in that state.
determine if these requests come from an extension viewed by the customer or an admin user
What do you mean exactly by admin in this context? And how do you currently distinguish these two in the fully authenticated state?
Hey @Robin-Shopify,
What do you mean exactly by admin in this context
By ‘admin’ I mean anyone who is not the customer that placed the order. Sometimes the store owner or staff of the store will go from the admin order page → More actions → ‘View order status page’ and we can’t tell the difference between that and a logged out customer routing to the order status page from email.
how do you currently distinguish these two in the fully authenticated state?
Currently we don’t. We are still in the discover phase of figuring out if and how we can do this. My plan for authenticated users was just check the sessionToken sub (which appears to be the customer id for authenticated customers) with the orders customer id. But even if we implemented this we would still be left in the dark for the pre_authenticated state.
I was hoping there was some easy way to do this like an admin flag that let’s you know the user viewing the order-status page came from shopify admin.
I wonder what your use case is? The point of the “View order status page” admin feature is for merchant staff members to be able to see exactly what the customer sees, so explicitly distinguishing them would likely run counter to that.
Hey @Kenza_Iraki,
The use case is for tracking extension render logs and we wanted to be able to filter out admin renders. The use case for these logs is both helping support staff with troubleshooting as well as support evidence for chargebacks.