1

I have built my first Node.js app that is supposed to be installed on a Shopify store. If you want to see what my actual code looks like (app.js) you can view it here. It's really basic so reading through won't be hard.

I know how to authenticate the installation of the app (following the Shopify instructions) but I don't how to authenticate all subsequent requests using the permanent access token that a successful installation provides me with.

By subsequent requests I'm referring to requests to either render the app or requests to install the app, even though the app is already installed.

Right now, I'm storing the shop's name (which is unique) along with the permanent token that Shopify sends me in my database. But I don't know if that's necessary. If I'm not mistaken, simply using the browser's session will do ? But how do I do that ? And how do I use this token every time a request comes through to check if it is a valid one?

Thank you for any help/suggestions!

The code below is sort of a representation of what my actual code looks like in order to give you an idea of what my issues are :

db.once('open', function(callback)
{  
   app.get('/', function (req, res)
   {
      var name = getNameFrom(req);

      if (existsInDB(name) && tokenExistsInDBfor(name))
      {
         res.redirect('/render');

         /*
            Is checking that the shop (along with a permanent token)
            exists in my DB enough ?
            Shouldn't I check whether the current request comes with 
            a token that is equal to the one in my DB ?
            What if the token received with this request is different       
            from the one stored in my DB ?
         */

      }
      else res.redirect('/auth');
   });

   app.get('/auth', function (req, res)
   {    
      if (authenticated(req))
      {
          var token = getPermanentToken(); 
          storeItInDB(nameFrom(req), token);
          res.redirect('/render');

          /*
            aren't I supposed to do anything more 
            with the token I've received ? send it
            back/store it in the browser session as well maybe?
            is storing it in the db necessary ?
          */
      }
   }); 

   app.get('/render', function (req, res)
   {   
      /*
      How do I check that this request is coming 
      from an authorised shop that has the necessary token ?
      Simply checking my DB will not do 
      because there might be some inconsistency correct ?
      */

      res.sendFile(*file that will build app on the client*);
   });
});
Kawd
  • 4,122
  • 10
  • 37
  • 68

1 Answers1

1

Getting access token from Shopify is once time process.

Save access token and shop's name in your DB, and also generate and save 'auth token' based on some algorithm. Return generated auth token to Client. Make sure client sends this auth token in every request.

Now when client hit your server verify auth token; once verified make call to Shopify API using appropriate 'access token' and shop name.

Authentication flow could be as follows:

  • Get Access token from Shopify
  • Generate token(i am refering this as auth token) for the Shopify Shop, refer this
  • Now save shopify's access token, shopify store name and your generated token into DB
  • Now send your generated token to client(save it in cookie or local storage)

Validation flow:

  • Clients hits your server to get data with your auth token
  • Verify this auth token in your DB, and get access token and shop name for that auth token
  • Now make calls to Shopify API using this access token and shop name

Hope this method helps

Community
  • 1
  • 1
Chirag B
  • 2,106
  • 2
  • 20
  • 35
  • Thanks for your reply Chirag. I don't really understand the difference between `access token` and `auth token` though. All I get from Shopify is a `temporary token` during installation which I then exchange for a `permanent token` and this is the one I save in my DB along with the shop's name. So I don't know how to get this `auth token` you're referring to. I also don't know how to `return the token` to the client like you suggest and I don't know how to `check token exists in every request` that comes from the client. I've included a link to my actual code in my OP, in case that helps. – Kawd Aug 31 '15 at 08:53
  • If moving the `permanent token` between client & server is not good practice what do I do with it then? How do I generate the `auth token` you're talking about and what do I do with it as well? – Kawd Aug 31 '15 at 09:44
  • Thanks, I now have something to work with! 1 last question about the `auth token` that I will generate and send back to the client : How long should it last for? And what should happen if it expires/client deletes cookies? If `auth token` is not in request at some point, should I simply generate a new one? Also, the `auth token` saved in a cookie will it automatically come with every request (if it's there) or should I do something to request it explicitly ? Should I use https://github.com/expressjs/session or will writing some basic/custom code to perform the steps you listed do fine ? – Kawd Aug 31 '15 at 12:09