Colocate where the public and private Storefront API tokens are configured

[benjaminsehl]

This is already mentioned in #1879, however it's more important as it is a blocker to easily supporting posts outside of Oxygen, so I'm noting this as a separate issue as it can be done before some of the breaking changes mentioned in that other issue.

@frandiox — would you mind taking this?

@zkoch and I were thinking of having this done inside the hydrogen.config.js file — but I believe @jplhomer had some issues with that. We need to make it obvious how you go about creating and deploying Hydrogen apps to environments outside of Oxygen, and it's not ideal to have to rely on vendors to provide their own approach (especially in the case of Docker deployments). So in solving this, we should also be updating the documentation on deployments to make sure that server tokens are highlighted as a step you should make sure you've completed (cc: @rennyG)

[frandiox]

@benjaminsehl @davecyen I'm not very familiar with the private (server-to-server) token. I assume it will be a simple environment variable passed in config.shopify.privateStorefrontToken (or similar) like the others?

If I don't remember wrong, the issue Josh had in mind with this was mixing the private token with public information in config.shopify. We could move it to config.privateShopifyStorefrontToken or similar instead, if this is a concern.
If we decide to mix it in config.shopify, we need to make sure we never leak it to the browser (I think this is not hard).

[blittle]

I think that was the issue, a private variable and a public variable. Generally private tokens should not be in version control. The config file is in version control.

[rennyG]

Created an issue to capture, will hit up @blittle and @frandiox for details!

[rennyG]

This is the issue for the docs work