Access token

Solved
mtalha
Tourist
6 0 1

So because there are so many third party packages used in the authentication, I am a little confused. So when reading this tutorial here, https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/embed-your-app-in-shopify, I see that the access token is taken out of the context session. Do I need to store this in a database because all future API calls to a particular store will require it?

0 Likes
GMKnight
Shopify Partner
72 7 30

This is an accepted solution.

Hi @mtalha 

 

Spot on!! You can. Assuming you are using the same database for multiple stores then you will need at least the shop domain stored in order to identify which store is making requests to your server.

 

You may need to store the access token with the store domain (perhaps in an accounts table) if you are going to make further calls to Shopify APIs on behalf of the store (for example, creating script tags needs the store access token for the X-Shopify-Access-Toke header or registering web hooks, etc). You'll also need the store domain for some of these operations.

 

But remember that access tokens can also be refreshed. So if you do store them in the database there may be a reason to update them sometimes (this will go through the Shopify Authentication mechanism again and if you already have an account for a store you can simply update the access token you get from the session).

 

GMKnight.

Store owner and app developer. Canada.
mtalha
Tourist
6 0 1

Thank you for the reply! So it seems like each time a session is created you get access to the access token anyways so you only need to store it to be able to do things in between sessions? Or am I understanding you wrong? Also, apparently you should hash your access token. But if you hash it, then how can you send it with an API call? Thank you again!

GMKnight
Shopify Partner
72 7 30

Hi @mtalha 

 

Sounds like you understand everything just fine. Best thing is just to debug through your code and see what it gives you and go from that. 

 

GMKnight

Store owner and app developer. Canada.
GMKnight
Shopify Partner
72 7 30

@mtalha 

 

You already know, but this is a nice article: http://gavinballard.com/shopify-oauth-flow-for-dummies/

 

Most people store the access token in the database as far as I can tell. I've tended to do this because once you identify the store in the database you can easily get the current toke from there. Horses for courses I guess.

 

GMKnight.

Store owner and app developer. Canada.
mtalha
Tourist
6 0 1

Thank you for all the help I appreciate it! Do you hash the token? That's something I'm still a little confused about.

0 Likes
GMKnight
Shopify Partner
72 7 30

@mtalha 

 

I've seen some people encrypt the token in the database.

 

Some don't.

 

If you do decide to, don't hash. You need to be able to decrypt (i.e. use a secret with AES or something) to send the token to Shopify APIs. So a one way has won't work.

 

My personal feeling is that if someone has compromised your server / database then the access token is the least of your problems. I think the other levels of security that Shopify uses (HMAC, etc) will probably stop any mischievous behaviour even if the access token is known... I'm afraid I haven't debugged through it (perhaps I should)! I did read the docs, but I'm old and have forgotten :)

 

 

GMKnight.

Store owner and app developer. Canada.
axelf
Tourist
12 1 1

@GMKnightif you store the access token in the database you need the shop origin (or shop url) in order to query the right record from the database. Do you get the shop name from the param in the source of the iframe or did you get it in another way?

Aqeel
Tourist
3 0 0

this is what i m looking for: when Shopify send request to call_back_url of carrier_service. i am wondering how can i get the store name??? as i have to access token from DB and i can only do this if i get the shop address but the request i am getting on by call_back_url jut have <origin>, <destination> and <items> data in it. i tried accessing using $_GET and $_POST or even $_SERVER but no luck. Anybody pls help. thanks in advance.

0 Likes
laiji
New Member
12 0 0

Hi Any update on this.  How can I access the stored access token from database using the store name.? How I get the store name for querying. Anyone please assist on it.

@axelf @Aqeel @GMKnight 

Thanks

0 Likes