Get an OAuth 2.0 access token for the Shopify API with ease
MIT License
This module helps you retrieve an access token for the Shopify REST API. It provides some convenience methods that can be used when implementing the OAuth 2.0 flow. No assumptions are made about your server-side architecture, allowing the module to easily adapt to any setup.
npm install --save shopify-token
The module exports a class whose constructor takes an options object.
new ShopifyToken(options)
Creates a new ShopifyToken
instance.
options
- A plain JavaScript object, e.g. { apiKey: 'YOUR_API_KEY' }
.apiKey
- Required - A string that specifies the API key of your app.sharedSecret
- Required - A string that specifies the shared secret of yourredirectUri
- Required - A string that specifies the URL where you want toscopes
- Optional - An array of strings or a comma-separated string that'read_content,read_themes'
. Defaults to'read_content'
.timeout
- Optional - A number that specifies the milliseconds to wait forgetAccessToken
method before aborting it. Defaults to 60000, or 1 minute.accessMode
- Optional - A string representing the API access'per-user'
to receive an accessagent
- Optional - An HTTPS agent which will be passed to the HTTPSA ShopifyToken
instance.
Throws a Error
exception if the required options are missing.
const ShopifyToken = require('shopify-token');
const shopifyToken = new ShopifyToken({
sharedSecret: '8ceb18e8ca581aee7cad1ddd3991610b',
redirectUri: 'http://localhost:8080/callback',
apiKey: 'e74d25b9a6f2b15f2836c954ea8c1711'
});
shopifyToken.generateNonce()
Generates a random nonce.
A string representing the nonce.
const nonce = shopifyToken.generateNonce();
console.log(nonce);
// => 212a8b839860d1aefb258aaffcdbd63f
shopifyToken.generateAuthUrl(shop[, scopes[, nonce[, accessMode]]])
Builds and returns the authorization URL where you should redirect the user.
shop
- A string that specifies the name of the user's shop.scopes
- An optional array of strings or comma-separated string to specifynonce
- An optional string representing the nonce. If not provided it willaccessMode
- An optional string dictating the API access mode. If notaccessMode
constructor option willA string representing the URL where the user should be redirected.
const url = shopifyToken.generateAuthUrl('dolciumi');
console.log(url);
// => https://dolciumi.myshopify.com/admin/oauth/authorize?scope=read_content&state=7194ee27dd47ac9efb0ad04e93750e64&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&client_id=e74d25b9a6f2b15f2836c954ea8c1711
shopifyToken.verifyHmac(query)
Every request or redirect from Shopify to the client server includes a hmac parameter that can be used to ensure that it came from Shopify. This method validates the hmac parameter.
query
- The parsed query string object.true
if the hmac is valid, else false
.
const ok = shopifyToken.verifyHmac({
hmac: 'd1c59b480761bdabf7ee7eb2c09a3d84e71b1d37991bc2872bea8a4c43f8b2b3',
signature: '184559898f5bbd1301606e7919c6e67f',
state: 'b77827e928ee8eee614b5808d3276c8a',
code: '4d732838ad8c22cd1d2dd96f8a403fb7',
shop: 'dolciumi.myshopify.com',
timestamp: '1452342558'
});
console.log(ok);
// => true
shopifyToken.getAccessToken(hostname, code)
Exchanges the authorization code for a permanent access token.
hostname
- A string that specifies the hostname of the user's shop. e.g.foo.myshopify.com
. You can get this from the shop
parameter passed bycode
- The authorization Code. You can get this from the code
parameterA Promise
which gets resolved with an access token and additional data. When
the exchange fails, you can read the HTTPS response status code and body from
the statusCode
and responseBody
properties which are added to the error
object.
const code = '4d732838ad8c22cd1d2dd96f8a403fb7';
const hostname = 'dolciumi.myshopify.com';
shopifyToken
.getAccessToken(hostname, code)
.then((data) => {
console.log(data);
// => { access_token: 'f85632530bf277ec9ac6f649fc327f17', scope: 'read_content' }
})
.catch((err) => console.err(err));