Implementing Secure OAuth Authentication
OAuth is the most vulnerable part of an app's lifecycle. I implemented a strict, stateful authentication flow to protect merchants from Cross-Site Request Forgery (CSRF).
- Nonce/State Validation: I generate a cryptographically secure random string (nonce) for every install request and verify it during the callback.
- Offline Access Tokens: I architected the app to use 'Offline' tokens, storing them in an encrypted database for long-term background job access.
- App Bridge Session Tokens: I migrated from cookies to Session Tokens (JWT) to ensure the app works seamlessly in "Incognito" mode and across modern browsers.