If I understand correctly, both of the actions mentioned in this post's title would make a request to the URL specified as the App URL on the App setup page. In that case, how may I differentiate when a user wants to install my App VS when they are accessing an already installed App.
I'll redirect use to the OAuth page if they have clicked the Add App page but will show normal App functionalities otherwise. What is the strategy for this?
The link in both cases is identical (your app URL unto which Shopify appends hmac, timestamp and shop parameters) which you probably gathered, so you have to write your own logic. What I do in my case is for every request to my app, I check with my own server to confirm if I have a valid access_token and billing charge ID for that shop. If so, they can enter my app and if not, route them accordingly (surface OAuth permission URL or the billing page, for example).
I believe if you use Shopify's ruby or nodejs library, all of this is handled for you (?)
Unfortunately, I am serving the app from an existing Laravel project. So, I am handling all the flows manually.
I can check for valid access_token to redirect to either the App or OAuth screen. But then I have to listen to the uninstallation webhook to remove that shop's info from my DB. This does not seem like an ideal solution to me and I was looking for something better.
Listening to the uninstall webhook is generally your best option, but if you're using offline access tokens you could always make a request to the "shop" endpoint from your backend to see if you still have access. If you do, you don't need to send the user back through auth. If you don't have access, then Auth. It's generally slower, because you need to wait for the roundtrip journey of an API request, but it means you don't need to listen to webhooks as diligently.
I also answered this question live on stream!
Now that I thought about it again, I don't think this approach will pass the automated checks in Shopify review. An example would be when a user is trying to reinstall the app. My app would not show the OAuth screen in this case as it already has an access_token. The user would be taken directly to the App screen in their shops Admin Panel. This will get rejected by the App Scanner.
I have already got multiple rejections citing the reason that my app is not showing the OAuth screen as the first step. Using the "access_token" approach, how can I avoid this problem?
@Shayne already said this in this thread but if a user uninstalls your app, their access token becomes invalid. The correct step is to hit the shop endpoint each time they come to your app to confirm the access token is working.