What I’m trying to say is that you wrote 2 code snippets that are doing the same thing:
// save offline token (session.accessToken)
await Website.findOneAndUpdate(
{ shop: session.shop },
{ offline_token: session.accessToken }
);
Is doing the same thing as this:
const session = await Shopify.Auth.validateAuthCallback(
req,
res,
req.query
);
So why include both because validateAuthCallback already stores the tokens in your database