Solved

External Third Party API Calls

Gregarican
Shopify Partner
1033 86 285

I have an external API web service that interfaces with Shopify via several different methods. And these are connected via a registered Shopify private app.

For example...a product that's selected in a Shopify page's IFrame is pushed into my web service in order to then create the Shopify product and add it to the customer's cart. Everything functionally works fine. The Shopify page's Javascript receives the IFrame's product push, then the Shopify page's Javascript forwards that dataset to my web service, then my web service creates the product and passes back the Shopify Product ID, and finally the Shopify page's Javascript reads that value and adds it to the customer's cart.

The issue that I would like to clean up involves the Shopify page's Javascript contacting my web service. I am using Java web tokens, but even then those tokens have a certain lifespan. And anyone reviewing my Shopify page's underlying code could determine the JWT and have open access to my API web service during that timeframe. As my web service internally hides the various endpoint API credentials I'm looking for a way to somehow leverage something server-side in Shopify to perform these external API calls. So that the client Javascript doesn't handle them.

From all I've read, I realize that Shopify isn't meant for this. Any suggestions as to best handle what I'm looking to do?

 

Accepted Solution (1)
Gregarican
Shopify Partner
1033 86 285

This is an accepted solution.

This was worked around through creating a private app proxy (https://help.shopify.com/api/embedded-apps/app-extensions/online-store/application-proxies). I validate the signature from the proxy call, and that in turn is used to issue a JWT from my third-party app.  

View solution in original post

Replies 4 (4)

Gregarican
Shopify Partner
1033 86 285

The lack of response leads me to believe this isn't doable. Which I've come to understand delving more into this. Which leads me to a second question.

Is there any way to store and reference a unique identifier on the Shopify back-end? I was trying to reference the 'now' Liquid variable, but have learned that this only reflects the current timestamp when the template was rendered. I've searched for any Liquid reference to a unique Session ID, but have come up empty.

In short, my Shopify Javascript client needs to authenticate against a third-party API resource. And I want to hide the authentication mechanism as much as possible...

 

Gregarican
Shopify Partner
1033 86 285

This is an accepted solution.

This was worked around through creating a private app proxy (https://help.shopify.com/api/embedded-apps/app-extensions/online-store/application-proxies). I validate the signature from the proxy call, and that in turn is used to issue a JWT from my third-party app.  

Propero
Shopify Partner
895 101 160

@Gregarican ,

sorry for picking a very old thread, however I was wondering if you were able to make the third party call successfully through javascript. I am not yet concerned on hiding the API key but to first be able to make that call. I am trying to make a call to remove.bg but stuck with 400 error code for quite some time... my request parameter seems to be correct

- Was my reply helpful? Click Like or Click Accept as Solution
To hire: email us at shopify@propero.in
checkout our app https://apps.shopify.com/picamaze
Gregarican
Shopify Partner
1033 86 285

@Propero , yes I was able to work through things by using the Shopify app proxy to hit my third party endpoint. I validate the HMAC signature that the app proxy call automatically includes, have my third party endpoint provide the response, and that response is then handled by the Shopify JavaScript on the front end.