Question posted in 
I have initialized a Shopify Embedded App. How do I get data (for example the data accessed at /admin/orders.json)? Since I am already in the store’s domain at this point can I call the URL directly, or do I need to make a call to my web server, which will in turn call the api? If I am meant to call my own server how am I meant to handle security (i.e. how do I know that the request is legit)?
Thanks
2
Answers
You make calls using the API. If you don’t know how to make calls to a REST-ful API, rest assured there are several thousand web sites out there that explain it in more than enough detail.
If your App is based on Ruby or Python, there are tons of examples. Shopify even provides an excellent Rails App at their Github account showing exactly how to do it.
Other languages are also well supported, from PHP to Elixir. Spend a few minutes checking out samples and you’ll go far.
If you call the URL directly in your embedded app’s JavaScript then the request will be send but you won’t be able to read the response due to the lack of
Access-Control-Allow-Originheader in Shopify’s response. For example in Chrome console you’ll see an error like this:This is the result of same-origin policy, a security mechanism implemented in all major browsers.
So you first need to call your server and then make a call to the Shopify API.
You can ensure that the request from your app is legit by verifying the HMAC that Shopify appends as a query param.