Issue summary

session.create_permission_url() currently requires the scope param to be provided, but Shopify API docs specify that this should be omitted for managed installations where the scopes are defined in the app's TOML file.

Expected behavior

Function should create url with query params, with or without provided scopes.

Actual behavior

Function returns missing parameter scope upon execution if not provided.

Steps to reproduce the problem

1. Create Public or Private Custom App with scopes defined in app's TOML
2. Install app on development store using Shopify managed installation
3. Call session.create_permission_url() with only redirect_uri and state

Reduced test case

import shopify
import binascii

SHOP_URL = 'myshop'
API_VERSION = '2025-01'

def authenticate(request):
  redirect_url = 'https://myapp.com/shopify/auth/finalize'
  state = binascii.b2a_hex(os.urandom(15)).decode("utf-8")
  
  _new_session = shopify.Session(SHOP_URL, API_VERSION)
  auth_url = _new_session.create_permission_url(redirect_uri, state)
  
  return redirect(auth_url)

Checklist

• I have described this issue in a way that is actionable (if possible)