Your application will receive GET requests with a token and email for verification. Here's how to handle them:
Set up your application to handle GET requests to the /landing endpoint.
Extract two query parameters:
token: The verification tokenemail: The customer's email (URL-encoded)
The email is URL-encoded and wrapped in quotes. Decode it like this:
javascript const decodedEmail = decodeURIComponent(email).replace(/^"(.*)"$/, '$1');
Use a function like this to verify the token:
import crypto from 'crypto';
function verifyToken(email, token, secretKey) {
const expectedToken = crypto
.createHmac('sha256', secretKey)
.update(email)
.digest('hex');
return token === expectedToken;
}
Example implementation:
app.get('/landing', (req, res) => {
const { token, email } = req.query;
const decodedEmail = decodeURIComponent(email).replace(/^"(.*)"$/, '$1');
if (verifyToken(decodedEmail, token, process.env.SECRET_KEY)) {
// Token is valid, proceed with your application logic
res.send('Welcome! Your token is valid.');
} else {
// Token is invalid
res.status(401).send('Invalid token');
}
});
- Ensure your
SECRET_KEYmatches the one used by the Gadget app to generate tokens. - Always use HTTPS in production to protect the token and email in transit.
- Implement rate limiting to prevent abuse of your endpoint.
- Test by visiting the URL directly in a browser or using tools like curl or Postman.
- Modify the token or email slightly to ensure invalid requests are rejected.
Remember: The security of this system relies on keeping the SECRET_KEY confidential and securely stored on your server.
Hi Sean,
What is the verification token ?
Is this the code shopify generates after the user authentication ?
Could this be used to load the online access token by using [POST] https://{storename}.myshopify.com/admin/oauth/access_token API ?