As it now stands the tutorial for development with Node.js demonstrates the use of a Koa server to handle the OAuth flow for Shopify. I'm guessing this is the case for two primary reasons:
1. The tutorial was written prior to the release of Next.js API routes functionality.
2. The Koa helpers for verification and whatnot have yet to be ported to Next.js directly.
The second issue isn't a big deal. I'm totally fine following the other article on dealing with HMAC, nonces, etc. manually. However, I also read that some of the old packages have some security vulnerabilities. Is there a way to securely write the OAuth flow purely in Next.js API routes without the use of Koa which is more or less not necessary and only increases the bundle size?
Not sure you've seen since you asked but it seems to be possible... see this thread on github the comment from bluebeel 7 Dec 2020 points at a potential solution, that only lacks webhooks integration. https://github.com/Shopify/shopify-app-node/issues/96
Next.js API routes provide plenty of flexibility (vs custom server) and should be the way to go so yeh +1 to have Shopify upgrade / update their tutorials to integrate better with their recommended framework for developing Shopify apps.
Would love to hear more about it directly if there are plans for it from Shopify devs.