How to create proper user identification using hashed values

New Member
1 0 0

Completely new to backend, sessions and cryptography. So I'm asking here what would be a proper way to identify users for an app.


When merchant initially accesses the app, Shopify sends hmac validation to the app. When Shopify authorization hmac is validated app stores 'shopname' cookie and sends app page back as response. The thing is when merchant follows other app routes there's no any methods to validate that the merchant is actually who he/she is. The only information app has at these routes is 'shopname' cookie. I've came up with some random hash values to identify merchants. What I do is create hmac (as 'app-token' cookie) from random values and store them and date of creation to DB under 'shopname' value.


When a route gets request app reads 'shopname' and 'app-token' cookies and asks DB for the stored values. Then checks if no more than 1 day passed since 'app-token' creation, creates hmac from these values and validates 'app-token' cookie on equality. If more than 1 day passed merchant is redirected to Shopify hmac authorization route and new 'app-token' hmac cookie is being generated and stored to DB (this is the only place where it is being generated).


This is what 'app-token' looks like at the moment:

var random_num = Math.random().toString();
var auth_hash = crypto.createHash('md5').update(random_num).digest('base64');

var auth_hmac_random_num = Math.random().toString();
var auth_hmac = crypto.createHmac('sha256',auth_hash).update(auth_hmac_random_num).digest('hex');

var auth_hmac_concant_random_num = Math.random().toString();
var auth_hmac_concat = crypto.createHash('md5').update(auth_hmac_concant_random_num).digest('hex');

var auth_hmac = auth_hmac_concat + auth_hmac;

auth_hash, auth_hmac_random_num, auth_hmac_concat are being stored to DB under 'shopname' value as JSON. On request verification auth_hmac_concat is removed from 'app-token' cookie and hmac is created from auth_hash and auth_hmac_random_num and being validated to 'app-token' with 

crypto.timingSafeEqual(hmac, app_token)

Again, I'm completely new to backend, and I might be overcomlicating or oversimplifying things. The question is what would be a proper way to identify merchants in described curcumstances? Hope I was clear enough.