In the GET /shopify, we redirect the user to the shopify authorization page. Since the main page app loads at /shopify, are we going to redirect the user to the authorization every time? Will the user be prompt for the authorization page only for the first time? And if that happens, will the user be prompt for oauth page if a new scope is added?
After shopify redirect the user to the /shopify/callback, should we check the state cookie and also the hmac? And after that, should we verify if we have already stored the access_token for that shop?
And also, how should we identify if the request comes from an installation or from a simple clicking on our app? Just checking if we have the access_token on database? Else I don't know if I should redirect to the https://shop/admin/apps or return the html.
I'm really confused about these steps.