ACTIVE_SHOPIFY_SHOPS documentation and example

[jt274]

Overview/summary

There is little documentation in regard to the ACTIVE_SHOPIFY_SHOPS hash. Documentation mentions it is important, but does not give much detail.

Motivation

Current documentation in the tutorial (https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/embed-your-app-in-shopify) reads:

Create the ACTIVE_SHOPIFY_SHOPS hash and track shops that complete OAuth. Your app needs this to decide whether a new shop needs to perform OAuth to install it:
Storing the active shops in memory will force merchants to go through OAuth again every time your server is restarted. We recommend you persist the shops to minimize the number of logins merchants need to perform.

The documentation does not make the following clear:

1. Should this variable store active shops that only the current authorized user has installed this app on?
2. Should this variable store a list of ALL shops across Shopify that have installed this app, regardless of the user?
3. At what point should the current active shops be loaded? I would assume before auth is complete.
4. How exactly is the ACTIVE_SHOPIFY_SHOPS related to the storing/recall of the user session?
5. Is there any difference for online or offline session modes?

[paulomarg]

Hey @jt274, thanks for this. It was pointed out (https://github.com/Shopify/shopify-app-node/issues/575#issuecomment-801952798) that this approach is only actually suited for offline tokens, we'll update the examples and tutorials accordingly.

To answer your questions:

1. Yes, the idea is to keep track of which shops have already gone through OAuth so we don't need to again. Since offline sessions never expire, apps can save OAuth trips by checking that before doing anything else.
2. As I mentioned in my comment above, this only makes sense for offline tokens. For online tokens, the / endpoint should simply load the app skeleton and check whether there is a session via verifyRequest to trigger OAuth only when it becomes necessary.
3. Since this is mostly helpful to prevent unnecessary OAuth trips, it should be done right before we would otherwise trigger an OAuth flow.
4. It's not really related to sessions, it is only there to make app loading more efficient, so we don't trigger OAuth on every page refresh.
5. As above!

Hope this helps! We'll also keep these questions in mind when we update the examples.

[avocadoslab]

Hey @paulomarg , curious if you got opportunity to update documentation & example around this.

[github-actions[bot]]

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.