When the app is installed first time, I am saving store_url & access_token to my db.
From shop admin dashboard when I click app, I am seeing some query params are coming from shopify such as hmac, locale, session, shop, timestamp
The question is, how should check, this is valid authentication request or not ? Basically I can get shop url and check whether there is any record on db and get the access_token of that store but this doesn't seem safe.
You can authenticate the request via the hmac as indicated here: https://shopify.dev/tutorials/authenticate-with-oauth#verification
Essentially, the hmac query parameter is a "signature" of the request.
Steps: (ignoring the IDs parameter, if present):