Technical Q&A

I am developing a Shopify embedded public app with a form on the main page. I need to submit this form to my app API endpoint and this endpoint should be available only to valid stores that have installed my app. The auth process was developed with @shopify/koa-shopify-auth and I used their example app code:

import 'isomorphic-fetch';

import Koa from 'koa';
import session from 'koa-session';
import shopifyAuth, {verifyRequest} from '@shopify/koa-shopify-auth';

const {SHOPIFY_API_KEY, SHOPIFY_SECRET} = process.env;

const app = new Koa();
app.keys = [SHOPIFY_SECRET];

app
// sets up secure session data on each request
.use(session({secure: true, sameSite: 'none'}, app))

// sets up shopify auth
.use(
shopifyAuth({
apiKey: SHOPIFY_API_KEY,
secret: SHOPIFY_SECRET,
scopes: ['write_orders, write_products'],
afterAuth(ctx) {
const {shop, accessToken} = ctx.session;

console.log('We did it!', accessToken);

ctx.redirect('/');
},
}),
)

// everything after this point will require authentication
.use(verifyRequest())

// application code
.use(ctx => {
ctx.body = '🎉';
});

I know that to verify requests to check that they came from Shopify it is possible to use hmac that they append to app URL. To make a request with form data I use axios, so should I manually add query parameters (like hmac and etc.) to request URL, or that is not a good practise.

Also, the sample app code uses a middleware verifyRequest. I could not fully understand could it be used for custom API endpoints as well or not. Any help will be appreciated because I have spent lots of time on figuring it all out, but still completely don't feel sure.