Authentication Process

This package uses Shopify's session tokens (JWT). Upon first visiting and installing your app, the shop will also be created in the database with a offline token. For all farther requests inside your app, the session tokens will be used.

Flows

Install

1. Initial app request
2. Redirect to /authenticate/token for a token
3. Redirect to permissions page
4. Install actions
5. Redirect to /authenticate/token, then to home route for app

Revisiting

1. Initial app request
2. Redirect to /authenticate/token for a token
3. Redirect to home route for app

Info

For both cases, you will need to have CSRF disabled as per installation docs.

SPA

Links, Routing, and Forms

If you're using an SPA, you can take advantage of window.sessionToken for your requests. This will contain the latest up-to-date session token every two seconds.

Non-SPA

Links & Routing

For non-SPAs, you will need to visit the /authenticate/token route between each request. You can use the tokenRoute and tokenRedirect helpers.

In controller, (example for tokenRoute): $orders = URL::tokenRoute('orders.view', ['id' => 1]);. In Blade, (example for tokenRoute): <a href="{{ URL::tokenRoute('orders.view', ['id' => 1]) }}">Order #1</a>

In controller, (example for tokenRedirect): return Redirect::tokenRedirect('orders.view', ['id' => 1]);

With these helpers, they will first redirect you to the /authenticate/token page to get a new Shopify session token, then redirect you to the destination route.

Forms

You can use a Blade directive {{ @sessionToken }} inside your forms to add a hidden input which will contain the up-to-date Shopify session token (refreshed every two seconds).

Alternatively you can simply add .session-token class to anything. If its an input, it will add value="{{ current_token }}", if not an input, it will add data-value="{{ current_token }}".