I got a question in regards to the authorization of users. So I followed the OAuth flow until the point where I got the access token for the shop. So far, so good. But when a user is interacting with my non-embedded app now, how do I know the user is actually a user of that shop and not someone else?
When opening the app from Shopify admin, I get the parameters hmac, host, session, shop and timestamp. Is it enough to validate the request using hmac?
Thanks for any help!
Authorizing a user in a non-embedded app on Shopify involves the following steps:
It is important to note that the redirect URL you pass to the Redirect.create method must be whitelisted in the app settings in the Shopify Partner Dashboard. Additionally, the scopes you request must match the permissions you need for your app to function properly. It's also important to make sure that you are handling the access token securely and storing it properly.
Make sure to follow Shopify's guidelines and best practices when developing your app and handling user data. Keep in mind that security is important and the user's trust is valuable.
Thank you for your reply. But as stated in my initial post, this is what I already have done. My question was, what is the best way to verify, that the user that will talk to my API after the code exchange, is actually part of that shop. The access code only authorizes the backend to talk to shopify, not the user. I was looking for a way to authorize the user to talk to the our backend.
But I assume, that our backend just needs to provide its own access token for the user. I just thought there is an easier solution for it using the data shopify provided.
When accessing the non-embedded app, the user will always go through the normal Shopify OAuth flow first. During that process, it is guaranteed that the user is part of the requesting shop and the request can be verified using the hmac. For further requests to my backend API, I return an access token created by my backend at the end of the OAuth flow. That token contains the shop and is signed using a backend secret (could be the app secret for example).
So basically, I use the OAuth flow to make sure the user belongs to the shop and then create my own access token for the user so they can access my app backend.
In addition, I also provide a refresh token, so the user can refresh its access token.