How to use oauth (session)

17 0 15

When the app is installed first time, I am saving store_url & access_token to my db. 
From shop admin dashboard when I click app, I am seeing some query params are coming from shopify such as hmac, locale, session, shop, timestamp 

The question is, how should check, this is valid authentication request or not ? Basically I can get shop url and check whether there is any record on db and get the access_token of that store but this doesn't seem safe. 

Second Image Hover Animations converts product images on your site into dynamic ones with simply one click
The Detective FAQ outstanding FAQ page templates & Product FAQs
Boostify ‑ Variant Swatch Show variants on collections with one click.
6 0 1

Hi Casedo, 

You can authenticate the request via the hmac as indicated here:

Essentially, the hmac query parameter is a "signature" of the request. 

Steps: (ignoring the IDs parameter, if present): 

  1. Concatenate all query parameters in alphabetic order - except for the hmac query parameter. E.g. "b=x&hmac=y&a=z" becomes "a=z&b=x"
  2. Verify that the hmac string is valid using your Apps "API secret key" as the shared HMAC secret (remember that the hmac string from Shopify is hex encoded)
  3. If the hmac is valid (i.e. is identical to the hmac you make for the same string of concatenated query parameters) then the request comes from Shopify (or someone else who knows your API secret - which should be only but Shopify). 



8 1 0

This npm package worked well for me if anybody needs it


import {checkHmacValidity} from "shopify-hmac-validation";
const isValidRequest = checkHmacValidity(process.env['SHOPIFY_API_SECRET'], Object.fromEntries(request.query));