/turbolinks-jwt-sample-app

A sample app made to demo Shopify's Next-Gen Auth flow using Turbolinks

Primary LanguageRuby

App Bridge Authentication

A demo app created using Rails, App Bridge, and Turbolinks for the Shopify tutorial Authenticate server-side rendered apps with session tokens using App Bridge.

Quick start

To run this app locally, you can clone this repository and do the following.

  1. Create a .env file to specify this app's API key and API secret key app credentials that can be found in the Shopify Partners dashboard.
SHOPIFY_API_KEY=<The API key app credential specified in the Shopify Partners dashboard>
SHOPIFY_API_SECRET=<The API secret key app credential specified in the Shopify Partners dashboard>
APP_URL=<The app URL specified in the Shopify Partners dashboard>

Note: If you do not have an API key or an API secret key, see the following sections of the Build a Shopify App with Node and React guide.

Important: This guide names its API secret key environment variable SHOPIFY_API_SECRET_KEY rather than SHOPIFY_API_SECRET. The Shopify App gem uses the latter.

  1. Expose your dev environment
  2. Get a Shopify API Key and Shopify API secret key
  3. Add the Shopify API Key and Shopify API secret key
  1. Run the following to install the required dependencies.
$ bundle install
$ yarn install
$ rails db:migrate
  1. Ensure ngrok is running on port 3000.
$ ngrok http 3000

Note: This port number is arbitrary - you may choose to specify the port number you plan to listen to this app on.

  1. Run the following to start the app.
$ rails s
  1. Install and open this app on a shop. Requests to authenticated resources, like the ProductsController or the WidgetsController, should now be secured with an Authorization: Bearer <session token> header.

App dashboard

Above: A sample multi-paged app with an authenticated home page. It displays links to the protected Products and Widgets resources.

Authenticated app requests

Above: Requests made across multiple pages of the app are authenticated using JWTs.