Verify hmac in `setup` callback

[EiNSTeiN-]

I'm opening this issue so I can fix it later on. In the setup callback we set the shop url from the query parameters. Since we allow the authorize phase to be initiated in response to a GET request, it's possible for someone to maliciously force a user to go through the oauth flow, and the app will receive a valid access token in response, all without user interaction. It would be much better to avoid csrf login, so we should verify the hmac and timestamp in the url in the setup callback before initiating the authorize phase.