Validate requests from app form

Highlighted
New Member
3 0 0

I am testing to build a Shopify app with react that will submit som data to my backend to configure the way my service works. I am able to create a form and the installation process of the app in shopify works fine.

 

But, I do not understand from the documentation what is the right way to authenticate update requests coming from my form after that. How do I do REST calls to my backend and ensure that the backend knows 1) that the admin was logged in in shopify 2) which store the call is made from?

 

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
610 82 89

Hey @ketil_oslo,

 

Every request or redirect from Shopify to the client server includes an hmac parameter that can be used to verify the authenticity of the request from Shopify.  More info.

Once you verify the shop is who they say they are, you could use sessions or JWTs to authenticate calls.

0 Likes
New Member
3 0 0

Hi,

 

Ok, I see the HMAC, but the preferred flow here is still not clear to me (after installation). So when a user comes back to the app say after 1 month, will the first request to my backend have the shop and hmac? So I can start a session based on that? Then I do the REST calls directly to my server from react? 

 

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
610 82 89

Hey @ketil_oslo,

 

will the first request to my backend have the shop and hmac? So I can start a session based on that?

That's right. The request will look something like this:

"code=...&hmac=700e2dadb827fcc8609e9d5ce208b2e9cdaab9df07390d2cbca10d7c328fc4bf&shop=some-shop.myshopify.com&timestamp=1337178173"
At this point, you can verify the shop is who they say they are and then create a session. Then, when your React application hits your server, you can check the session.

 

0 Likes