How to use access / auth tokens?

I have built my first Node.js app that is supposed to be installed on a Shopify store. If you want to see what my actual code looks like (app.js) you can view it here. It's really basic so reading through won't be hard.

I know how to authenticate the installation of the app (following the Shopify instructions) but I don't how to authenticate all subsequent requests using the permanent access token that a successful installation provides me with.

By subsequent requests I'm referring to requests to either render the app or requests to install the app, even though the app is already installed.

Right now, I'm storing the shop's name (which is unique) along with the permanent token that Shopify sends me in my database . But I don't know if that's necessary . If I'm not mistaken, simply using the browser's session will do ? But how do I do that ? And how do I use this token every time a request comes through to check if it is a valid one?

Thank you for any help/suggestions!

The code below is sort of a representation of what my actual code looks like in order to give you an idea of what my issues are :

db.once('open', function(callback)
{  
   app.get('/', function (req, res)
   {
      var name = getNameFrom(req);

      if (existsInDB(name) && tokenExistsInDBfor(name))
      {
         res.redirect('/render');

         /*
            Is checking that the shop (along with a permanent token)
            exists in my DB enough ?
            Shouldn't I check whether the current request comes with 
            a token that is equal to the one in my DB ?
            What if the token received with this request is different       
            from the one stored in my DB ?
         */

      }
      else res.redirect('/auth');
   });

   app.get('/auth', function (req, res)
   {    
      if (authenticated(req))
      {
          var token = getPermanentToken(); 
          storeItInDB(nameFrom(req), token);
          res.redirect('/render');

          /*
            aren't I supposed to do anything more 
            with the token I've received ? send it
            back/store it in the browser session as well maybe?
            is storing it in the db necessary ?
          */
      }
   }); 

   app.get('/render', function (req, res)
   {   
      /*
      How do I check that this request is coming 
      from an authorised shop that has the necessary token ?
      Simply checking my DB will not do 
      because there might be some inconsistency correct ?
      */

      res.sendFile(*file that will build app on the client*);
   });
});

Getting access token from Shopify is once time process.

Save access token and shop's name in your DB, and also generate and save 'auth token' based on some algorithm. Return generated auth token to Client. Make sure client sends this auth token in every request.

Now when client hit your server verify auth token; once verified make call to Shopify API using appropriate 'access token' and shop name.

Authentication flow could be as follows:

  • Get Access token from Shopify
  • Generate token(i am refering this as auth token) for the Shopify Shop, refer this
  • Now save shopify's access token, shopify store name and your generated token into DB
  • Now send your generated token to client(save it in cookie or local storage)
  • Validation flow:

  • Clients hits your server to get data with your auth token
  • Verify this auth token in your DB, and get access token and shop name for that auth token
  • Now make calls to Shopify API using this access token and shop name
  • Hope this method helps

    链接地址: http://www.djcxy.com/p/22006.html

    上一篇: 在jQuery mobile中保存应用程序状态

    下一篇: 如何使用访问/授权令牌?