Issue summary

According to the docs, I should be able to make authenticated api calls the extension (which runs in the frontend) to my app's backend (which runs on the same domain as app_url).
The app uses the Express.js template

I have an admin action extension that makes the following API call:

The route is guarded by the validateAuthenticatedSession middleware and allowed the cors configurations as the docs requires.

• @shopify/* package and version: @shopify/shopify-app-express version 5.0.3
• Node version: 20.17.0
• Operating system: MacOS

Expected behavior

The fetch request should pass the authentication.

Actual behavior

The request's preflight redirects to /api/auth (meaning it didn't authenticated currectly) which fails because of cors (but would fail regardless)

This is the preflight

This is the "real" request which fails because of cors (due to the preflight failing). As you can see, the header is there, but it can't pass the validateAuthenticatedSession middleware

If I disable the middleware everything works but the fetch call must be authenticated so I can't allow it.

I reached out to the partners support and they contacted the team who confirmed that they can see the middleware throwing a 403 but can't tell why. They suggested to rebuild the logic with an Admin action extension as I did and showed here but it didn't solve the issue.