Shopify Express EASDK Session middleware
A small Express middleware for authenticating Shopify EASDK sessions. When a shop is authenticated, the shop's hostname is available at req.authenticatedShopName
.
The module authenticates the user by reading the query string which is provided by the EASDK iframe and verifies its HMAC signature. The session is then stored in a signed cookie to make it available on subsequent requests. No database is necessary.
const shopifyExpressEasdkSession = ; app;
The middleware will:
- detect a HMAC-signed set of query parameters from Shopify
- set a signed cookie to remember the session
This lets you access req.authenticatedShopName
if a shop is authenticated. The value is a shop hostname, like example.myshopify.com
if a shop is authenticated, otherwise it's null. A shop is authenticated if an HMAC-signed query string is present (the EASDK iframe sets this) or if a signed secure cookie is present. The cookie is set on a successful request authenticated by the query string.
Usage
Attach the middleware to Express to check if a shop is authenticated.
You can protect a request handler from unauthenticated requests by checking for req.authenticatedShopName
and redirecting if it's absent.
app; app;
Requirements
cookie-parser
middleware (attached before this middleware) with a secret key. This is required because this middleware uses signed cookies. The secret key isn't related to the shopifyClientSecret option but you can use the same value.