app.get('/auth/shopify/callback', (req, res) => { // --> the user is redirected back to your app from the Shopify authorization page
  const code = req.query.code;
  const hmac = req.query.hmac;
  const state = req.query.state;
  const shop = req.query.shop;

  // Verify that the state value matches the one you generated and stored
  if (state !== storedState) {
    return res.status(403).send('State mismatch. Potential CSRF attack.');
  }

  // Exchange the authorization code for an access token.
  const accessTokenRequest = {
    uri: `https://${shop}/admin/oauth/access_token`,
    method: 'POST',
    form: {
      client_id: process.env.CLIENT_ID,
      client_secret: process.env.CLIENT_SECRET,
      code: code,
    },
    json: true,
  };

  request(accessTokenRequest, (error, response, body) => {
    if (!error && response.statusCode === 200) {
      accessToken = body.access_token;

      // Step 5: The Store & Call - Store the access token securely and use it to make Shopify API requests.
      console.log(`Access Token: ${accessToken}`);
    } else {
      console.error('Error getting access token:', error);
    }
  });
});