Maybe this might help those of you who are having a hard time.
Not entirely sure if the way I’m doing it is perfectly sound or “best practices” but it works for me. If you’re using the pre-built sample nodejs or ruby apps that Shopify provides then I don’t know what you’ll need to do exactly to make it work but for me it works the following way:
(disclaimer: my backend is in Golang, not NodeJS or RoR)
I added a middleware to my backend routes that expects to receive a JWT as a Bearer token in the headers. This middleware is responsible for decoding and verifying the JWT on each and every request to any of the “protected” routes.
My frontent loads inside Shopify unauthenticated and it initializes appbridge and grabs a token through appbridge. I then make a call to my backend to check if this particular store is in the database. This backend call includes the JWT Bearer token I mentioned earlier. If the backend properly verifies the JWT string and the store is present/located in my database, it returns a 200 status which my frontend takes as a sign that we’re good to proceed and everything is OK. If the backend returns a 4xx or 5xx status code, the frontend uses appbridge to redirect the parent window/tab to the Shopify app install URL for my particular app. From there the process repeats and any calls to the backend includes the JWT Bearer token. Any calls to the backend without the token fails with a 401 status.
If you go this route make sure to properly verify the JWT signature and validate the NBF and EXP fields in the JWT string.