Getting the currently logged in customer account

Shopify Partner
96 0 16

Hello,

I am building an app that could really benefit from knowing the currently logged in customer account.  It doesn't look like there is currently anyway to use oauth for customer accounts but I think this could be accomplished using Multipass Logins and maintaining the customer accounts from the app itself or another app.  Is there another way to accomplish this?  Also is it possible to enable Multipass Logins in a Dev shop so I could work on this?

Thanks

0 Likes
Shopify Expert
3933 15 323

Hi,

I have built a couple of pretty sophisticated Apps to handle this. When a customer is added to the Shop, I use a Webhook to ensure that same customer is present in the App. With that it is very easy to present functionality throughout the shop based on the currently logged in customer. 

One example I made is a Closet for the customers of a clothiing boutique. Each logged in customer has their very own closet. They can add products to their closet, invite their friend to see what is in their closet, and have discussions about those products. Additionally, each closet is private to the customers and their invited friends. 

Amazing what you can do with the API...

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
Shopify Partner
96 0 16

Thank you for your response,

This works great for presenting functionality throughout the shop.  How do you go about telling your app which user is currently logged in and what closets to show?

I would like to use the customer account to authorize the customer to access a resource in the app based on their order history.  I can make links from the shopify site to the app that pass the current customer email or id in the parameters but that is not secure since the email or id in the parameters in the url can just be changed to be a different customer.

Thank you

0 Likes
Highlighted
Shopify Expert
3933 15 323

Good point. I treat it like this. If I send the customer's ID and their email to the App, it is pretty simple to ensure they match. If some customer X contrives to fool the App by sending email and ID combinations to try and "fool" the App... I leave that as an exercise to them. Guessing an ID to match an email would not take a genius to figure out, but it would take some repeated attempts. If you're paranoid of that low-risk thing happening, just block repeated failed attempts for the same email in a short amount of time. Any failed match is a sign of monkey business.

I dunno... as I have pointed out many times, if customers want to dick around trying to screw up Apps, it is not hard. Most Apps are susceptible to elementary script hacks. Not much you can do about it.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
Shopify Partner
96 0 16

I found half a solution for this.  I can wrap the response body from my application in

{% if customer && customer.id == <PASSED_IN_CUSTOMER_ID> %}
 <NORMAL RESPONSE BODY>
{% else%}
"Access Denied"
{% endif %}

where <PASSED_IN_CUSTOMER_ID> is the id passed in the params.

Since the Liquid is rendered on the shopify server it checks the currently logged in customer id against the customer_id passed to the application.  This works fine for standard application proxy authorizations.

I would like to do some dynamic page manipulation using AJAX and JSONP requests to my application.  Since the AJAX request skips the shopify server entirely it seems there is still no way to authorize against the currently logged in customer without moving authentication to the app itself and setting up shopify accounts with multipass logins.

Is there anyway to enable multipass logins for a dev shop?

0 Likes