I am trying to do a similar thing to save additional order information in my app and make it available in the order status page via the app proxy.
I have to say the interaction between the order_status_url, its authenticate key, and the checkout token are not completely clear. I have found a couple of other posts around this subject:
These do not completely clarify things. And it seems that the order_status page can be accessed by adding the checkout token to the canonical url, which actually strikes me as a bit odd, when the order_status_url itself includes an authenticate key.
I am sure there must be a lot of apps that provide additional status information back to the order_status page. I would find it really helpful if someone could suggest the best practice for validating that the correct order is being accessed.
So for my purposes, I am going with sending cart token and order id parameters in the fetch request:
On the server side, an API call to get the order by id, can then use the checkout token to confirm the order id is valid for that page and hence respond with the additional order information, or carry out the order update as appropriate.
I would be very grateful if anyone can confirm if this approach is ok or whether it is open to being abused in some way I have not considered.