Struct AuthQuery

Source

pub struct AuthQuery {
    pub code: String,
    pub shop: String,
    pub timestamp: String,
    pub state: String,
    pub host: String,
    pub hmac: String,
}

Expand description

OAuth callback query parameters from Shopify.

This struct represents all the query parameters that Shopify sends to your redirect URI after a user authorizes your app. Use this with validate_auth_callback to verify the callback and exchange the code for an access token.

§Fields

All fields are strings as received from the query string:

code: Authorization code to exchange for tokens
shop: Shop domain (e.g., “example.myshopify.com”)
timestamp: Unix timestamp of the authorization
state: State parameter for CSRF verification
host: Base64-encoded host for embedded apps
hmac: HMAC signature for request validation

§Serialization

AuthQuery derives Serialize and Deserialize to facilitate parsing from query strings using web frameworks like Axum or Actix-web.

§Example

use shopify_sdk::auth::oauth::AuthQuery;

let query = AuthQuery::new(
    "auth-code".to_string(),
    "my-shop.myshopify.com".to_string(),
    "1699999999".to_string(),
    "csrf-state".to_string(),
    "aG9zdC12YWx1ZQ==".to_string(),
    "abc123def456".to_string(),
);

assert_eq!(query.code, "auth-code");
assert_eq!(query.shop, "my-shop.myshopify.com");

Fields§

§code: String

The authorization code from Shopify.

This code is exchanged for an access token via a POST request to https://{shop}/admin/oauth/access_token.

§shop: String

The shop domain that authorized the app.

This is the full domain (e.g., “example.myshopify.com”).

§timestamp: String

Unix timestamp of when the authorization was granted.

§state: String

The state parameter for CSRF protection.

This should match the state generated by begin_auth().

§host: String

Base64-encoded host for embedded apps.

Used by Shopify’s App Bridge for embedded app authentication.

§hmac: String

HMAC signature for verifying the request authenticity.

This is computed by Shopify using your API secret key.

Implementations§

Source §

impl AuthQuery

Source

pub const fn new( code: String, shop: String, timestamp: String, state: String, host: String, hmac: String, ) -> Self

Creates a new AuthQuery with all fields.

§Arguments

code - Authorization code from Shopify
shop - Shop domain
timestamp - Unix timestamp string
state - CSRF state parameter
host - Base64-encoded host
hmac - HMAC signature

§Example

use shopify_sdk::auth::oauth::AuthQuery;

let query = AuthQuery::new(
    "code123".to_string(),
    "shop.myshopify.com".to_string(),
    "1700000000".to_string(),
    "state456".to_string(),
    "host789".to_string(),
    "hmac012".to_string(),
);

Source

pub fn to_signable_string(&self) -> String

Converts the query parameters to a signable string for HMAC verification.

This produces a string suitable for HMAC computation by:

Excluding the hmac parameter
Sorting remaining parameters alphabetically by key
URI-encoding each value
Joining as key=value&key=value format

§Returns

A string ready for HMAC-SHA256 computation.

§Example

use shopify_sdk::auth::oauth::AuthQuery;

let query = AuthQuery::new(
    "code123".to_string(),
    "shop.myshopify.com".to_string(),
    "1700000000".to_string(),
    "state456".to_string(),
    "host789".to_string(),
    "hmac-ignored".to_string(),
);

let signable = query.to_signable_string();
// Parameters are sorted alphabetically: code, host, shop, state, timestamp
assert!(signable.starts_with("code="));
assert!(signable.contains("&shop="));
assert!(!signable.contains("hmac")); // hmac is excluded