Hey Shopify Staff,
the topic (link below) is the prior one which led me to create current one.
de facto every app in the Shopify Apps Store is running on an untrusted server. Some dude (app vendor) creates an app which routes the store data through his backend server, because of CORS, which doesn't allow him to access the Admin Rest or Graphql API directly from the browser/client.
An example of many: https://apps.shopify.com/dhl-parcel
This app fetches the store's order/customer/shipping data and pushes it to the DHL API to create a shipping label. Classic case!
Before the data arrives the DHL API, it gets routed and processed trough the vendor's server. So this middleware can read, write, store the data at his leisure.
Now look at the app detail page. It seems that the vendor is represented by tom-it.nl. If you open the page, you will find a kind of blog. No imprint and/or contact page can be found. The site doesn't run on https. The meta title of his page is "software / security engineer & photography enthousiast".
So what does it tell me:
- The best thing is that great people like Tom and other developers can easily use the Shopify API/SDK to create awesome apps.
- On the other side, one of the worst things in the Shopify ecosystem is that the customer's senstive data (in current times of rigorous GDPR) gets shared unnecessarily to untrusted vendors, and their untrusted and unsecured servers. Why do I say "unsecured servers"? Because Tom and even companies simply don't invest an appropriate amount of effort and money to keep the security on a high level.
That's why I created this post, because I don't wan't to deal with customer's data. So maybe I am wrong and Tom or others can tell me how to write a clientside-only Shopify app.
Take my money, I would even pay for it.