shopify 访问令牌范围如何与用户权限相关联?

How shopify access token scopes are tied on user permissions?

我正在 Nodejs 构建 Shopify 应用程序。而且我找不到任何关于具有不同权限的用户如何与我的应用程序交互的资源。例如,如果我的应用已授予 read_productswrite_products 范围,但用户只有 read_products 权限。如果是,该应用程序是否可供他使用我如何获得用户的范围,更重要的是有什么方法可以测试场景吗?

Shopify 在文档的身份验证部分对此进行了详细解释。认证访问有在线和离线两种模式。

您需要的是在线访问。来自 Shopify Docs

Tokens with online access mode are linked to an individual user on a store, where the access token's lifespan matches the lifespan of the user's web session. This type of access mode is meant to be used when a user is interacting with your app through the web, or when an app must respect an individual user's permission level.

与离线(默认)访问相比,几个显着差异是

  • This access mode must be explicitly requested in the authorization phase.
  • An API request made using an online mode access token is guaranteed to respect the user's individual permissions. Shopify returns a 403 Forbidden status code when the access token is valid but the user does not have access.
  • The app can inspect scope and associated_user_scope to determine if a user is lacking certain permissions.