How to use oauth (session)

casedo
Excursionist
17 0 14

When the app is installed first time, I am saving store_url & access_token to my db. 
From shop admin dashboard when I click app, I am seeing some query params are coming from shopify such as hmac, locale, session, shop, timestamp 

The question is, how should check, this is valid authentication request or not ? Basically I can get shop url and check whether there is any record on db and get the access_token of that store but this doesn't seem safe. 

Second Image Hover Animations converts product images on your site into dynamic ones with simply one click
The Detective FAQ outstanding FAQ page templates & Product FAQs
Boostify ‑ Variant Swatch Show variants on collections with one click.
JesperT
New Member
6 0 0

Hi Casedo, 

You can authenticate the request via the hmac as indicated here: https://shopify.dev/tutorials/authenticate-with-oauth#verification

Essentially, the hmac query parameter is a "signature" of the request. 

Steps: (ignoring the IDs parameter, if present): 

  1. Concatenate all query parameters in alphabetic order - except for the hmac query parameter. E.g. "b=x&hmac=y&a=z" becomes "a=z&b=x"
  2. Verify that the hmac string is valid using your Apps "API secret key" as the shared HMAC secret (remember that the hmac string from Shopify is hex encoded)
  3. If the hmac is valid (i.e. is identical to the hmac you make for the same string of concatenated query parameters) then the request comes from Shopify (or someone else who knows your API secret - which should be only but Shopify). 

Best, 

Jesper

0 Likes