What's your biggest current challenge? Have your say in Community Polls along the right column.
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Order Status Page api call verification

Order Status Page api call verification

GerwinB
Shopify Partner
78 2 14

We are implementing an api call on the order status page to our backend.

Do you have any idea on how to verify if a call legit?

There is a token on  Shopify.Checkout.token 
Does anybody have an idea on how to verify that token with an Admin API api call? 

 

Replies 6 (6)

GerwinB
Shopify Partner
78 2 14

Is there any way to verify the token?

GerwinB
Shopify Partner
78 2 14

Does no one has an idea how to solve this?

GerwinB
Shopify Partner
78 2 14

Anybody got any idea on this topic?

tonypmuk
Shopify Partner
8 0 6

I am trying to do a similar thing to save additional order information in my app and make it available in the order status page via the app proxy.

I have to say the interaction between the order_status_url, its authenticate key, and the checkout token are not completely clear.  I have found a couple of other posts around this subject:

https://community.shopify.com/c/Shopify-Design/Order-object-quot-customer-url-quot/m-p/328333

https://community.shopify.com/c/Shopify-Design/How-to-get-the-link-to-the-order-status-page-a-custom...

These do not completely clarify things.  And it seems that the order_status page can be accessed by adding the checkout token to the canonical url, which actually strikes me as a bit odd, when the order_status_url itself includes an authenticate key.

I am sure there must be a lot of apps that provide additional status information back to the order_status page.  I would find it really helpful if someone could suggest the best practice for validating that the correct order is being accessed.

As the cart token is available as Shopify.Checkout.token in the javascript object on the page, I take it that this is safe to send with the fetch request. 

So for my purposes, I am going with sending cart token and order id parameters in the fetch request:

On the server side, an API call to get the order by id, can then use the checkout token to confirm the order id is valid for that page and hence respond with the additional order information, or carry out the order update as appropriate.

I would be very grateful if anyone can confirm if this approach is ok or whether it is open to being abused in some way I have not considered.

 

Many Thanks

 

 

 

GerwinB
Shopify Partner
78 2 14

@tonypmuk 
How did you actually implement the "can then use the checkout token to confirm the order id is valid for that page" ?

GerwinB
Shopify Partner
78 2 14

Anybody got a hint on how this can be done?