I’m developing a new app (which is also my first) for the Shopify store. In the main page of my app (e.g. https://admin.shopify.com/store/[a-test-store]/apps/[my-app]) I’ve created a page according to the documented examples.
This page (opened in an IFrame within the Shopify admin) uses the HMAC so I can verify that it’s being opened by Shopify, and to get the current store. Using this information I can get information relevant to that store (using a previously stored token).
My question is, what’s the recommended way to make additional API calls from within that page to my server. For example, navigate to another page, or make an API call to my server. I want to make sure that the calls made by my app aren’t spoofed.
Is there an existing best practice? Should I create my own signing method (similar to the HMAC)? Create a token system (generated once I authenticated the first page using it’s HMAC)?
Am I missing something altogether and this isn’t necessary?
Thanks.