Shopify Authentication, Database Structure & Limits
Summary of Changes: (The purpose of this table is to keep traceability and Product team to highlight the things that were changed into the scope, based on comments or discussions)
| Version | Date | Created / Updated | Notes |
|---|---|---|---|
| v1.0 | Hristiyan | First publish |
API Docs : https://shopify.dev/docs/api/usage/authentication
All REST Admin API queries require a valid Shopify access token.
Public and custom apps created in the Partner Dashboard generate tokens using OAuth, and custom apps made in the Shopify admin are authenticated in the Shopify admin. We will have a custom app made in the shopify admin therefore we will need to be generating a link which will lead to installing our app in Shopify by the store’s admin.
Since each app will be created for each customer this would mean that each app will have its own separate Client ID and Client Secret. We want to make a connection with integration_credentials table and keep those details there. (for the time being they will have to be manually added since for each app(client) they will be different). Currently we keep those in the Account Shopify table, however we want to remove them from there due to security reasons.
We also need to request specific access scopes during the app install process. Naturally we will need to request all access scopes as this will provide us with all the needed access to fully manage the connection between Hemi and Shopify.
This link should be available as a button named “Generate Install Link” in the Account Shopify table
The link should be as follows :
Mapping :
| Link field | Hemi Field |
|---|---|
| {shopname} | Account Shopify > Name of the shop |
| {client_id} | Integration Credentials > Client ID |
Then after the client successfully installs the Hemi app, they will be redirected to Hemi.ai website (or Threecolts). In the generated link after the redirect there will be the field Code which is required for us to request the access token. Instead of asking clients to provide us with the Code we need to think of a way to automate this and get the code via callbacks for example.
Once we have the Code we need to generate the access token . Documentation for this can be found here - https://shopify.dev/docs/apps/auth/oauth/getting-started
We need to create a POST Call : POST https://{shop}.myshopify.com/admin/oauth/access_token?client_id={client_id}&client_secret={client_secret}&code={authorization_code}
Example response of the call is :
{
"access_token": "f85632530bf277ec9ac6f649fc327f17",
"scope": "write_orders,read_customers"
}Once we have the access_token we need to store it in the integration_credentials > Access Token and use this as a X-Shopify-Access-Token header on all API queries.
How I think the Authorization should look like for Shopify as MP.
API Docs : https://shopify.dev/docs/api/usage/authentication
Shopify has 4 different type of Apps which will allow us to integrate to Shopify Admin REST API and all of them are by access token which is generated either by us or by the client and never expires.
Custom App - App that is manually created and setup by us via our Shopify Partner portal but not listed on their App Store and the app is dedicated only for one particular customer with separate app credentials. In order to install the app we will have to obtain the code and generate tokens.
Private App - App that is listed on the Shopify App store but is private so only authorized users will be able to use it however we can have many users integrations within single private app. In order to install the app we will have to obtain the code and generate tokens.
Public App - App that is listed on the Shopify App store and visible to everyone, so anyone with Shopify store will be able to install our app and authorise, here we can have many users integrations within single public app. In order to install the app we will have to obtain the code and generate tokens.
Internal App - Internal apps are applications that are created directly from the client within their shopify store and we will just have the access token shared so no need to make any additional authorizations and token generations, we just use the shared access token.
In order to cover all possible scenarios for App authorization we will need to have the following setup:
We want to store all our apps details within Integration and Integration Credentials tables where we can have more than one available Shopify application based on the client needs. For every app we will have an Integration record and the Integration Credentials which are client_id and client_secret.
In Account Shopify we will need to be able to have:
| Hemi Field | Type | Required | Description |
|---|---|---|---|
| Integration App | Dropdown | No | All available Shopify credentials from Integration and Integration Credentials |
| Access Scopes | Table - simple with Text Boxes only | No | We want this to be on a separate tab under Shopify Account table with predefined values: |
| ”read_assigned_fulfillment_orders,write_assigned_fulfillment_orders,read_checkouts,write_checkouts,read_content,write_content,read_customer_merge,write_customer_merge,read_customers,write_customers,read_discounts,write_discounts,read_draft_orders,write_draft_orders,read_files,write_files,read_fulfillments,write_fulfillments,read_gift_cards,write_gift_cards,read_inventory,write_inventory,read_legal_policies,read_locales,write_locales,read_locations,read_metaobject_definitions,write_metaobject_definitions,read_metaobjects,write_metaobjects,read_marketing_events,write_marketing_events,read_merchant_managed_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_orders,write_orders,read_payment_terms,write_payment_terms,read_price_rules,write_price_rules,read_products,write_products,read_product_listings,read_publications,write_publications,read_purchase_options,write_purchase_options,read_reports,write_reports,read_resource_feedbacks,write_resource_feedbacks,read_script_tags,write_script_tags,read_shipping,write_shipping,read_shopify_payments_disputes,read_shopify_payments_payouts,read_returns,write_returns,read_themes,write_themes,read_translations,write_translations,read_third_party_fulfillment_orders,write_third_party_fulfillment_orders,read_order_edits,write_order_edits,read_all_orders” | |||
| Access Token | Encrypted Field | No | Either will be populated manually or by callbacks. If an access token is populated this means we are authorized. |
| Name of the shop | Text Field | Yes | The name of the Shopify Store. Example if we have a store test.myshopify.com the name which we want to store is “test” |
| Location | Dropdown | No | All Shopify Locations which we get from their store. |
| Orders Source Name Filter | Text Field | No | If we want to filter orders based on the source. |
| Send Shipping Confirmation | Checkbox | No | Yes or No option if we want to send customer emails when order is shipped |
| Client Email: | Text Field | No | To which email we want to send the authorization link |
| Oauth Began/Generate Install Link | Checkbox/Button | No | Button or checkbox TBD? |
| If empty Client Email disable button/return error. | |||
| Get Collections | Button | Get all store collections into a csv file. | |
| If empty Access Token the button should be disabled. |
When we have Internal App we will have to add in Hemi manually the Access Token which will be shared from the client and there wont be any additional authorizations via emails and callbacks.
When we have Custom App, Private App or Public App then we will need to generate the Access token by ourselves thus we will have to send an email to the Client Email set in Hemi with the authorization link which is generated like: https://{shopname}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={access_scopes}&redirect_uri=https://hemi.ai&state=code Mapping:
| Link Name | Hemi Field |
|---|---|
| {shopname} | Account Shopify > Name of the shop |
| {client_id} | Account Shopify > Integration App |
| {access_scopes} | Account Shopify > Access Scopes |
Once the email is generated we want to send it via email to the right client which must have admin access to their Shopify store and once the link is followed it will prompt them to install our app. After the installation is completed the client will be redirected to the actual redirect_uri=https://hemi.ai which can be different based on the App setup in Shopify Partners and after the redirect we will be obtaining the code from the redirected URL with our callbacks. This code should be used in order to generate the access token:
Doc: https://shopify.dev/docs/apps/auth/oauth/getting-started
API: POST https://{shop}.myshopify.com/admin/oauth/access_token?client_id={client_id}&client_secret={client_secret}&code={authorization_code}
Mapping:
| Url Field | Hemi Field |
|---|---|
{shop} |
Account Shopify > Name of the shop |
{client_id} |
Account Shopify > Integration App |
{client_secret} |
Account Shopify > Integration App |
{authorization_code} |
From the redirect URL callbacks. |
Sample Response:
{
"access_token": "f85632530bf277ec9ac6f649fc327f17",
"scope": "write_orders,read_customers"
}Once we have the access_token we need to store it encrypted in Account Shopify > Access Token and use this as a X-Shopify-Access-Token header on all API request.