app install url same as app banner url (callback url)?

Highlighted
Shopify Partner
33 0 9

I'm confused on the app callback url being the same url as the app banner url. I'm new to app development obviously.

My concern is, when a user clicks to install an app I create, I understand that I need to redirect them with my app's scope for them to install that app in their store. However, after their app has been installed, if the callback url for the app banner is the same as the initial install url, how do I differentiate between an app banner click, and an install app click that are going to the same url?

Clearly I'm missing some key info here on this workflow. I suspect that when the user clicks to install the app, which goes to my callback url there will be $_GET data that will identify the user is installing the app and has not simply clicked on the app banner (post install). Am I correct here? I don't need to redirect them to install the app each time they click on the app banner do I as some kind of re-initialization? I thought the permanent access token would prevent me from having to do this.

Highlighted
Shopify Staff (Retired)
Shopify Staff (Retired)
143 0 27

You can differentiate new versus existing customers by checking the code parameter and keeping a database of merchants that have your app installed. If the shop is in your database and the hmac is verified, then you can skip the setup.

0 Likes
Highlighted
Shopify Partner
33 0 9

Thanks Josh. I get it now. So, I'm currently developing an app and for now I'm just pasting in my redirect install string into the browser adddress bar to simulate a user clicking on a shopify Get App install button in the app store. Is there another way to better simulate this during the development stage?

0 Likes
Highlighted
Shopify Staff (Retired)
Shopify Staff (Retired)
143 0 27

I guess there are many ways you could test, but usually I install the app into a test shop and then just click on the app card.

0 Likes
Shopify Expert
60 0 9

I wouldn't trust the X-Shopify-Shop-Domain header (because you can't verify that it came from Shopify). Use $_GET['shop'] instead and don't forget to verify the request.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Partner
33 0 9

Already using "shop" from $_GET. Thanks for the info though.

0 Likes
Highlighted
Shopify Expert
60 0 9

For someone coming to this later, the thread might not make sense because It looks like Josh edited his answer (to remove the insecure recommendation of using X-Shopify-Shop-Domain header). The current recommendation:

You can differentiate new versus existing customers by checking the code parameter and keeping a database of merchants that have your app installed. If the shop is in your database and the hmac is verified, then you can skip the setup.

also has serious security implications IMO. For details see my comment here: http://ecommerce.shopify.com/c/shopify-apis-and-technology/t/need-help-with-hmac-signature-validatio...

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
Highlighted
Shopify Staff (Retired)
Shopify Staff (Retired)
143 0 27

Yep - you're right, Sandeep, it's better to use the shop parameter. Thanks for correcting me :)

Highlighted
Shopify Expert
60 0 9

You're welcome Josh. Editing comments to change them completely messes up the thread and makes it incoherent for future readers. IMO, it's always better to add another comment than change an existing one (except for typos).

Also, as confirmed by Kevin in the other thread I linked to earlier, the current recommendation in this thread to "skip the setup" is also incorrect.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Expert
60 0 9

Another reason (and maybe one that is more important in terms of security) for why the advise to skip the setup if you get a valid hmac is incorrect, is that, if the app is not on https, a man in the middle could intercept the request, play it back and get access to the customer accounts in the app.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes