For almost all the APIs where a redirect or server-to-server API call happens from Shopify end, we get a hmac/signature along with the shop domain to validate if the call originated from shopify. If there any specific reason why the same is not the case when Shopify redirects to return_url that we send while creating a ApplicationCharge/RecurringApplicationCharge using the Billing APIs?
During the redirect, we are only provided with the charge_id as the URL param. Are we expected to maintain a mapping of charge id to shop domain on our end to figure out which shop's access token has to be used to be able to get the ApplicationCharge/RecurringApplicationCharge and to activate it?
I think you can add to this, Admin Links. They get an HMAC in the querystring and the shop name but there is no indication as to how these are used to validate incoming calls to an App. So when we are using JWT, what are we to do when we get Admin Links as well as this issue with the billing.
As for Billing, I had usually already setup a session, so when Shopify calls the return URL it is already tagged to a session for the store, but I can see how that would not be true for a lot of other use cases.