app.get('/auth/shopify/callback', (req, res) => { // --> the user is redirected back to your app from the Shopify authorization page const code = req.query.code; const hmac = req.query.hmac; const state = req.query.state; const shop = req.query.shop; // Verify that the state value matches the one you generated and stored if (state !== storedState) { return res.status(403).send('State mismatch. Potential CSRF attack.'); } // Exchange the authorization code for an access token. const accessTokenRequest = { uri: `https://${shop}/admin/oauth/access_token`, method: 'POST', form: { client_id: process.env.CLIENT_ID, client_secret: process.env.CLIENT_SECRET, code: code, }, json: true, }; request(accessTokenRequest, (error, response, body) => { if (!error && response.statusCode === 200) { accessToken = body.access_token; // Step 5: The Store & Call - Store the access token securely and use it to make Shopify API requests. console.log(`Access Token: ${accessToken}`); } else { console.error('Error getting access token:', error); } }); });