I recently was tasked with importing a large data set to Shopify. About 300,000 orders and 190,000 order comments. Since Shopify's API does not support creating order comments, I was forced to spoof a login and use the undocumented admin endpionts.
My first plan was to just login to Shopify manually and steal the session ID and CSRF token from the browser, but I quickly realized I needed to login to 17 differant users so I could create comments under the right username.
After inspecting the login request I found it was an x-www-form-urlencoded POST to /admin/auth/login with the following fields:
utf8:✓ authenticity_token:[authenticity_token] redirect: login:[email] password:[password] commit:Log in
So now we know what thr request looks like, all we're missing is the authenticity_token which can be found in a hidden input in the login form, named authenticity_token.
To make the login request I'm using an NPM module called request and to get the session token I'm using cheerio.
We don't need to worry about the redirect field as we just need the session ID in the cookie.