I am able to create a recurring charge (with the required parameters, including the return url) on my app and navigate the store owner to the confirmation url. When the store owner accepts the charge, shopify redirects the store owner back to the return url, but does not add the query string parameters "hmac", "shop", etc in addition to the charge_id on the "redirect_url". Is this a bug? How do I go about validating the redirect request to the return url if the required parameters are not set? Note: My app does not use the embedded SDK. Could some from the shopify staff help regarding this.
I ended up doing something similar to @devenbryant which was to map their shop origin to the query string of their initial request when they hit my OAuth and then store this mapping. Then, on the return URL I append the same query string and I write a conditional where if a request contains charge_id (which Shopify will add), I'll remove the charge_id parameter and then re-validate the remaining query string (which will pass, it passed the first time after all), validate that the charge_id has an active subscription, and go from there.
Really frustrating though that they don't provide additional guidance as to why they themselves don't include the extra parameters and create this confusion for us.
My solution is to include the shop's name as a URL parameter.
That way in the callback redirection, I can retrieve the `appSubscriptionId` and the `shopName` and persist it accordingly.