A space to discuss online store customization, theme development, and Liquid templating.
We are implementing an api call on the order status page to our backend.
Do you have any idea on how to verify if a call legit?
There is a token on Shopify.Checkout.token
Does anybody have an idea on how to verify that token with an Admin API api call?
Is there any way to verify the token?
Does no one has an idea how to solve this?
Anybody got any idea on this topic?
I am trying to do a similar thing to save additional order information in my app and make it available in the order status page via the app proxy.
I have to say the interaction between the order_status_url, its authenticate key, and the checkout token are not completely clear. I have found a couple of other posts around this subject:
https://community.shopify.com/c/Shopify-Design/Order-object-quot-customer-url-quot/m-p/328333
These do not completely clarify things. And it seems that the order_status page can be accessed by adding the checkout token to the canonical url, which actually strikes me as a bit odd, when the order_status_url itself includes an authenticate key.
I am sure there must be a lot of apps that provide additional status information back to the order_status page. I would find it really helpful if someone could suggest the best practice for validating that the correct order is being accessed.
As the cart token is available as Shopify.Checkout.token in the javascript object on the page, I take it that this is safe to send with the fetch request.
So for my purposes, I am going with sending cart token and order id parameters in the fetch request:
On the server side, an API call to get the order by id, can then use the checkout token to confirm the order id is valid for that page and hence respond with the additional order information, or carry out the order update as appropriate.
I would be very grateful if anyone can confirm if this approach is ok or whether it is open to being abused in some way I have not considered.
Many Thanks
@tonypmuk
How did you actually implement the "can then use the checkout token to confirm the order id is valid for that page" ?
Anybody got a hint on how this can be done?