I’ve always been a bit confused by the fact that the non-managed app install flow starts at the application_url and not a bespoke install URL. Is there some way to detect that the request is initiating an install and not just loading the app url on an already installed store? Perhaps the existence of the hmac?
Are you talking about an embedded app or non-embedded? I assume the latter.
If that’s the case, you should be issuing some kind of short term session tokens that would determine if the current request is authenticated or not right?
Then if the session is non-existent or expired, then go through the oauth flow. Right?
It’s non-embedded. So you’re saying if there’s no session that implies it’s an install? I don’t totally understand the connection between an active session and if an install has been initiated but I admit that’s probably my own knowledge gap.
If your app is non-embedded, then you’ll have to set up session level authentication. Without it, you’ll have no way of knowing if the current user is OAuth’d from the request alone.
Embedded apps have a session token via Shopify’s AppBridge.
If you’re hosing your own app externally, you’ll need to use some kind of session management solution that either uses cookies or JWTs, etc to add the user’s session as part of the HTTP requests.
- just +1ing what @Dylan mentioned here, but wanted to share some docs on our recommended flow for session auth in case it helps!
I’ve spent lots of time with the docs (including the session token one you linked here) and I unfortunately just keep getting turned around. We don’t have an embedded app, nor does our app currently have a UI and most of the docs, session tokens doc included, seem focused on embedded.
We only use our app to enable API access and webhooks. It’s a private/custom app and is not meant for marketplace distribution. So our only use case really is installation and retrieving an offline access token (and rotating), but obviously our store admins can and will still click on the app from the admin dash so we were just trying to differentiate between an “install” request and someone just clicking on the already installed app.
FWIW it’s working and has been successfully getting access tokens, we were just trying to polish it up a bit.
Hi @a24seth
The presence of hmac and the OAuth query parameters (shop, timestamp, host, etc.) does NOT necessarily mean it’s an installation - Shopify will include these parameters on subsequent visits too.
The best way to differentiate if the request is initiating an install is if you have an access token stored for this shop? For your use case (no UI, just API access and webhooks), the application_url can be as simple as a static page saying “App is active”. The hmac just proves the request is legitimate from Shopify, not that it’s an install vs. regular click.
Ok yea, that’s actually basically what we’re doing (checking the access_token against what we have in the environment), thanks for verifying!
Best option then is to continue this workflow - let us know if you have any other questions @a24seth 