I am currently working on writing my first Shopify App and one issue I am running into is after I install it on my test store and then click the app in the test store's dashboard it runs through the install process again. I would have figured you could set the dashboard URL and install URL separately but I can find only the one setting there. And seeing as the call from the dashboard successfully completes OAuth, I assume that an OAuth handshake is required from the dashboard as well but how do I determine which load it is, install or dashboard?
Solved! Go to the solution
I was also surprised to learn that a single, shared app endpoint is used for both installation and the dashboard.
This is problematic. When an app receives a request at this endpoint it may be either an installation request or a request from the dashboard. The most obvious method to determine which is to look at our DB and see if we have an installed record (i.e. auth token) for this shop. If we don't it must be an install request, if we do, then we're already installed and can treat the request as a dashboard request.
The problem with this approach is that the user can uninstall the app. We can subscribe to the app/uninstalled webhook and delete from our DB, but that webhook is not guaranteed and is also delayed.
So the only robust method seems to be checking if the auth token in our DB is still valid. This requires a roundtrip to the Shopify API (e.g. call access_scopes API) for every single request. I've noticed that requests from the dashboard include a "locale" query string param, but without documentation, it seems ill-advised to rely on this to differentiate.
I'd also appreciate it if someone could advise if the above understanding is correct. This is my first encounter with the Shopify API and so perhaps something obvious has been missed or I am not using the correct approach.
This is an accepted solution.
This issue is now resolved. I broke down the app and started over. The long story short of this is that it does not matter. Each time the app is accessed (either as installation or viewing from the dashboard) the exact same handshake is required. After the handshake verify if you already have a token, if not get one and store it. Then after that it should redirect to your app as normal. If the app has already been installed and the scope has not changed then the store owner will not be prompted for a re-install or an update. For a light weight example of how to handle all of this with no framework I have a PHP example here: https://github.com/XenithTech/php-shopify-app-skeleton It's small and simple enough that it should be able to be easily translated into any language needed. The flow will all be the same. As a note, I believe Shopify did change something on their end relating to the original question here as to why it was prompting for an install each time. I believe this edit was to check if the app was already installed and with the same scope. If any of y'all have any further issues with this let me know and I will try and assist as I can.