I've implemented embed app installation process and got access token for shop on backend. How do i supposed to authenticate user when he open the app now? There is no shop name and hmac in query string when user open my app.
When you get a token back, for a shop, you are supposed to store that token in your persistence layer so you can re-use it, and to start a session. Whenever Shopify sends a request to your app they include the shop name so you can look it up and get the token and start a session. Requests without a shop name and no session spell re-authentication time.
Are you missing the part about starting a session? If someone is trying to access your App without authenticating, you need to block that access obviously. The tricky thing is ensuring all requests from your App to your App include the shop name so that if the session you started expires, you have a chance of re-authenticating one.
Related
When the app review team uninstall and reinstall my app with their automated tools, they are getting an error because the uninstall webhook has not yet triggered the delayed job to delete the Shop record. I think that's then tripping up the install process because it is finding the old shop record with an invalid access token.
I've been advised that:
You should not be relying on an uninstalled webhook to determine a shop's status with your app. instead, each time a shop hits your app,
you should make a request to your server to first determine if the
access token you have for them is valid (if so, they have your app
installed - if not, redirect to OAuth) and then from there check for a
valid charge ID using the billing API (if not, redirect to billing
page).
How should I check the api key validity? When the app is installed they are redirected through splash page, so I need to somehow know if it's a new install and if it is, check the access token somehow?
It's really hard to tell what's wrong without knowing your architecture or request auth flow, so the solution could be somewhere else. Embedded apps redirect to shopify domain where Shopify checks if app URL is added to the store. If not it will return "There is no page at this address".
Answering your question -> the easiest way would be to make an API to /admin/shop.json request and see if you get a 401.
Good morning.
I use google calendar API.
My program create a connection with the google calendar of multiple users.
From each user, i have their credential.json, but when the app start the first time show the browser quickstart confirm. How i can skip this step?
Thanks anticipated
I think you have seriously misunderstood how Oauth2 works.
You the developer goes to Google developer console and registers your application. If you will be requesting data from other users you will need to create Oauth2 credentials this will give you credeitnals.json file used by your application to request authorization of a user.
When each of your users runs your application they will be requested to consent to your application authorizing their data. If they do you will be granted an access token which gives you access to their data, this access token will expire after one hour. If you have also request offline access then you will also have a refresh token. If you store this refresh token some place then you will be able to access the users data when ever you need to by using it to request a new access token.
As for the unverified app screen, when you create your application it is basically in developer state, this is so that you can build and test your application. When you are ready to go to production you can request that your application be verified by google
Once your app has been verified the unverified app screen will stop showing up.
I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
I'm new to shopify app development and trying to build a shopify app with node and followed this post here. Everything worked as explained, but I have things to get clarified, may be very basic things.
My question is where to specify the link that's directed when shop owner select my app from the installed apps list of the shop?
As I understood from the post above App URL given in the App info section of the app is used for installation process and from there it's redirected to one of the Whitelisted redirection URL(s) as defined in the app for HMAC validation and exchanging a permanent access token to access the shops' admin API later.
Now Once my test-app is installed to a shop and when the app is selected from the installed apps list, the request again goes to the App URL and get redirected to callback URL generating a new access token. If this is how it is supposed to be, why it's called a permanent access token and need to be stored? If this not how it should be how to specify a url to direct when the app is selected from the installed app list?
In Short
where to define the url to direct when a shop admin select the app from is installed apps section of the shop like shown below.
After install the HMAC validation and temp code is just to get the permanent token, which you should then store securely in a database.
You don't have to show any of that process to the user using your app; you can have it happen in the background and then redirect to whatever route you like after you have the permanent token.
I am developing an hybrid mobile application using ibm mobilefirst platform.
I am using the custom authentication module example to implement the login module. The problem here is when the user closes the application the app gets logged out.
Is there anyway that I can implement so that the user will not be logged out unless they opt to click on logout button. In simple I am trying to achieve something similar to Facebook remember me option.
You could do something like this (very rough idea):
As part of your authentication flow, if the user has passed the authentication - store in either localStorange or JSONStore a "token" that will basically state that the user has previously logged in. Also save in the server's database using userPrefs something to validate the token.
Whenever the app launches, it will attempt to connect to the server. The environment will be protected with a securityTest so that the server will present a challenge - if a token exist it will attempt to verify it, if there is no token, a login form will display instead.
Assuming this is a first-time launch, if the login passed successfully then store a token in the device and store in the database its "public key"
The next time the app is launched the challenge will be presented again but this time, since we have a token - it will attempt to verify it. If verified - don't present the login screen, skip the rest of the authentication flow and display the secure content
Something like that...
Perhaps to create a 'better' user experience, on app launch also extend the splash screen duration while you're checking for the token, This can be done using this API method.
On logout, clear the token from the device and server.