So because there are so many third party packages used in the authentication, I am a little confused. So when reading this tutorial here, https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/embed-your-app-in-shopify, I see that the access token is taken out of the context session. Do I need to store this in a database because all future API calls to a particular store will require it?
Solved! Go to the solution
This is an accepted solution.
Spot on!! You can. Assuming you are using the same database for multiple stores then you will need at least the shop domain stored in order to identify which store is making requests to your server.
You may need to store the access token with the store domain (perhaps in an accounts table) if you are going to make further calls to Shopify APIs on behalf of the store (for example, creating script tags needs the store access token for the X-Shopify-Access-Toke header or registering web hooks, etc). You'll also need the store domain for some of these operations.
But remember that access tokens can also be refreshed. So if you do store them in the database there may be a reason to update them sometimes (this will go through the Shopify Authentication mechanism again and if you already have an account for a store you can simply update the access token you get from the session).
Thank you for the reply! So it seems like each time a session is created you get access to the access token anyways so you only need to store it to be able to do things in between sessions? Or am I understanding you wrong? Also, apparently you should hash your access token. But if you hash it, then how can you send it with an API call? Thank you again!
You already know, but this is a nice article: http://gavinballard.com/shopify-oauth-flow-for-dummies/
Most people store the access token in the database as far as I can tell. I've tended to do this because once you identify the store in the database you can easily get the current toke from there. Horses for courses I guess.
I've seen some people encrypt the token in the database.
If you do decide to, don't hash. You need to be able to decrypt (i.e. use a secret with AES or something) to send the token to Shopify APIs. So a one way has won't work.
My personal feeling is that if someone has compromised your server / database then the access token is the least of your problems. I think the other levels of security that Shopify uses (HMAC, etc) will probably stop any mischievous behaviour even if the access token is known... I'm afraid I haven't debugged through it (perhaps I should)! I did read the docs, but I'm old and have forgotten :)
this is what i m looking for: when Shopify send request to call_back_url of carrier_service. i am wondering how can i get the store name??? as i have to access token from DB and i can only do this if i get the shop address but the request i am getting on by call_back_url jut have <origin>, <destination> and <items> data in it. i tried accessing using $_GET and $_POST or even $_SERVER but no luck. Anybody pls help. thanks in advance.