├── .eslintrc ├── .gitignore ├── .nvmrc ├── LICENSE ├── README.md ├── index.js ├── package.json └── sample.env /.eslintrc: -------------------------------------------------------------------------------- 1 | { 2 | "parserOptions": { 3 | "ecmaVersion": 6 4 | }, 5 | "env": { 6 | "node": true 7 | }, 8 | "extends": "eslint:recommended", 9 | "rules": { 10 | "no-console": "warn", 11 | "indent": [ 12 | "error", 13 | 4 14 | ], 15 | "linebreak-style": [ 16 | "error", 17 | "unix" 18 | ], 19 | "quotes": [ 20 | "error", 21 | "single" 22 | ], 23 | "semi": [ 24 | "error", 25 | "always" 26 | ] 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.log 3 | .env 4 | .npm 5 | .DS_Store 6 | .coverage 7 | .idea/ 8 | node_modules 9 | tags 10 | -------------------------------------------------------------------------------- /.nvmrc: -------------------------------------------------------------------------------- 1 | 6.9 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 J. Voigt 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # shopify auth demo 2 | 3 | Quick demo showing how to use [`shopify-token`] with [express](https://expressjs.com) for the [shopify oauth flow]. 4 | 5 | ## Usage 6 | 7 | First `npm run configure`, to copy the `sample.env` file into `.env`, then update `.env` with your shopify app's api key, secret, and redirect uri. 8 | 9 | Then ... 10 | ``` 11 | source .env 12 | npm install 13 | npm start 14 | ``` 15 | 16 | Once the express app has started you'll see ... 17 | ``` 18 | open https://{PROXY_TO_LOCALHOST}/?shop={SHOP_TO_REQUEST_ACCESS} 19 | ``` 20 | 21 | `SHOP_TO_REQUEST_ACCESS` should be the name of a shop that you administer. This will initiate the oauth flow and callout to the Shopify provider, prompting you to authenticate with the shop and explicitly grant the app access. 22 | 23 | The shop name is reflected in the url used to access the shop's storefront (`SHOP.myshopify.com`). For example, if you have admin level access to a shop named "autopints" (`autopints.myshopify.com`), you can grant your app access to the shop via `https://{PROXY_TO_LOCALHOST}/?shop=autopints`. 24 | 25 | `PROXY_TO_LOCALHOST` should be a proxy to `http://localhost:8080`, e.g., a localtunnel that reflects your shopify app's redirect uri. 26 | 27 | For example, suppose you set your app's redirect uri to `https://acme.localtunnel.me`. Start the localtunnel proxy with `lt --port 8080 --subdomain acme`. Then open `https://acme.localtunnel.me/?shop=autopints` to initiate the oauth flow. 28 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | const express = require('express'); 4 | const session = require('express-session'); 5 | const Auth = require('shopify-token'); 6 | 7 | const auth = new Auth({ 8 | 'apiKey': process.env.SHOPIFY_API_KEY, 9 | 'sharedSecret': process.env.SHOPIFY_SECRET, 10 | 'redirectUri': process.env.SHOPIFY_REDIRECT_URI, 11 | 'scopes': ['read_orders', 'read_products', 'read_customers', 12 | 'write_orders'] 13 | }); 14 | 15 | const app = express(); 16 | 17 | 18 | app.use(session({ 19 | secret: 'icanhascheezburger', 20 | saveUninitialized: false, 21 | resave: false 22 | })); 23 | 24 | 25 | app.get('/', (req, res) => { 26 | 27 | if (req.session.token) return res.send(`Token ${req.session.token}`); 28 | 29 | // generate a random nonce 30 | const nonce = auth.generateNonce(); 31 | 32 | // generate the authorization URL 33 | const uri = auth.generateAuthUrl(req.query.shop, undefined, nonce); 34 | 35 | // save nonce in session for later verification 36 | req.session.state = nonce; 37 | res.redirect(uri); 38 | }); 39 | 40 | 41 | app.get('/callback', (req, res) => { 42 | 43 | const state = req.query.state; 44 | 45 | if ( 46 | typeof state !== 'string' || 47 | state !== req.session.state || // validate state 48 | !auth.verifyHmac(req.query) // validate hmac 49 | ) { 50 | return res.status(400).send('Security check failed'); 51 | } 52 | 53 | // exchange auth code for permanent access token 54 | auth.getAccessToken(req.query.shop, req.query.code) 55 | .then((token) => { 56 | 57 | console.log(token); 58 | req.session.token = token; 59 | req.session.state = undefined; 60 | res.redirect('/'); 61 | }) 62 | .catch((err) => { 63 | 64 | console.error(err.stack); 65 | res.status(500).send(err); 66 | }); 67 | }); 68 | 69 | const msg = 'open https://{PROXY_TO_LOCALHOST}/?shop={SHOP_TO_REQUEST_ACCESS}'; 70 | app.listen(8080, () => console.log(msg)); 71 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shopify-auth-demo", 3 | "version": "0.0.1", 4 | "description": "quick demo of shopify-token using express", 5 | "main": "index.js", 6 | "scripts": { 7 | "start": "node index.js", 8 | "test": "echo \"Error: no test specified\" && exit 1", 9 | "configure": "cp sample.env .env" 10 | }, 11 | "repository": { 12 | "type": "git", 13 | "url": "git+https://github.com/joyrexus/shopify-auth-demo.git" 14 | }, 15 | "keywords": [ 16 | "shopify", 17 | "oauth2", 18 | "express" 19 | ], 20 | "author": "joyrexus", 21 | "license": "MIT", 22 | "bugs": { 23 | "url": "https://github.com/joyrexus/shopify-auth-demo/issues" 24 | }, 25 | "homepage": "https://github.com/joyrexus/shopify-auth-demo#readme", 26 | "dependencies": { 27 | "express": "^4.15.2", 28 | "express-session": "^1.15.1", 29 | "shopify-token": "^3.0.0" 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /sample.env: -------------------------------------------------------------------------------- 1 | export SHOPIFY_API_KEY="your shopify app's api key" 2 | export SHOPIFY_SECRET="your shopify app's secret" 3 | export SHOPIFY_REDIRECT_URI="your shopify app's redirect uri" 4 | --------------------------------------------------------------------------------