Hi, sorry for the late reply. Thank you all for your help. I tried to fix the problem without changing the old flow, but it seemed hopeless. So instead of using authenticate.admin in the auth.callback.jsx file, I manually requested the access token by following this document.
Here’s my current flow:
- Receive the
/auth/callbackrequest - Validate that the nonce matches the state, and verify the HMAC and shop
- Exchange the authorization code for an access token
- Set two cookies in the response header:
shopify_app_sessionandshopify_app_session.sig - Return
res.redirectwithshopandhostparams
All the steps above follow the docs, except for step 4. It took me quite some time to realize that I needed to set those two cookies in the response header to complete the OAuth flow. I wasn’t sure how Shopify originally created shopify_app_session.sig, and had to do some guesswork to figure it out.
I think the documentation doesn’t mention that step because it assumes the reader is implementing the OAuth flow manually from start to finish—whereas in my case, I only implemented the /callback part manually.