For almost all the APIs where a redirect or server-to-server API call happens from Shopify end, we get a hmac/signature along with the shop domain to validate if the call originated from shopify. If there any specific reason why the same is not the case when Shopify redirects to return_url that we send while creating a ApplicationCharge/RecurringApplicationCharge using the Billing APIs?
During the redirect, we are only provided with the charge_id as the URL param. Are we expected to maintain a mapping of charge id to shop domain on our end to figure out which shop's access token has to be used to be able to get the ApplicationCharge/RecurringApplicationCharge and to activate it?
I'm also seeing this behavior. Can anyone confirm whether this redirect deliberately does not have both the shop and hmac query string params?
I'd like to know why this behaviour seems to be inconsistent with the rest of the platform too. It makes things rather more awkward than they need to be.
Yeah I'm seeing this behaviour also. However, if I leave the return_url blank, then it seems to default to the install url from the app settings with hmac included.
There are old threads in this forum about this strange omission with some workarounds mentioned, please do a search.
I think you can add to this, Admin Links. They get an HMAC in the querystring and the shop name but there is no indication as to how these are used to validate incoming calls to an App. So when we are using JWT, what are we to do when we get Admin Links as well as this issue with the billing.
As for Billing, I had usually already setup a session, so when Shopify calls the return URL it is already tagged to a session for the store, but I can see how that would not be true for a lot of other use cases.
Would you love to unleash the unbridled power of the Google Shopping Channel into your sho...By Gabe Jan 6, 2023
How can you turn a hobby into a career? That’s what Emmanuel did while working as a wa...By Skye Dec 30, 2022