I am testing to build a Shopify app with react that will submit som data to my backend to configure the way my service works. I am able to create a form and the installation process of the app in shopify works fine.
But, I do not understand from the documentation what is the right way to authenticate update requests coming from my form after that. How do I do REST calls to my backend and ensure that the backend knows 1) that the admin was logged in in shopify 2) which store the call is made from?
Every request or redirect from Shopify to the client server includes an hmac parameter that can be used to verify the authenticity of the request from Shopify. More info.
Once you verify the shop is who they say they are, you could use sessions or JWTs to authenticate calls.
Ok, I see the HMAC, but the preferred flow here is still not clear to me (after installation). So when a user comes back to the app say after 1 month, will the first request to my backend have the shop and hmac? So I can start a session based on that? Then I do the REST calls directly to my server from react?
will the first request to my backend have the shop and hmac? So I can start a session based on that?
That's right. The request will look something like this: