How to authenticate storefront customer ajax requests on my serverside app?

aledelgo
Shopify Partner
6 0 2

I need a way to securely authenticate the customer when he, trough my scripttag, make AJAX request to MY APPSERVER.
I mean that in the storefront cart or in the order_status_page i place a button that make an API request to my server. On my server, when the API is called, i need to know WHO the customer is (the customer_id is enough) and make sure it is not a tampered request.

Obviously i cannot accept request where customer_id is clear in the request body/query because anyone could spoof the request and make anonymous request altering the customer_id. I need a way to ensure the request come from a real and authenticated customer session on the shopify store.

How can i do this? 

aledelgo
Shopify Partner
6 0 2

Could you explain it better?

I know how cookies works, but i'm not getting how this could help my case?

What cookie should i read/write to authenticate the current customer (that is facing the shopify cart / order_status pages) on my server?
How can i be certain that the ajax request is really made from the current customer?

0 Likes

Sorry should have elaborated more on that.

 

One possibility is to use JWT authentication per customer and store the data in an http-only cookie:

 

Then send the signed data in the request to your server.

 

Here are 2 decent resources on JWT authentication:

https://blog.logrocket.com/jwt-authentication-best-practices/

https://dev.to/siwalikm/what-the-heck-is-jwt-anyway--47hg

 

The implementation of this will be heavily dependent on how your app is set up/used. 

 

There are also other ways to do this, so some one please correct if there is something better.

0 Likes
aledelgo
Shopify Partner
6 0 2

I'm sorry. It's now clear to me that my question is not clear at all :-D.

The problem is not how technically authenticate an user, i know many methods including cookies, jwt etc.

 

The problem is how, in the shopify storefront i could get some customer-handle data that could allow my server to verify and assert the request has been made from the customer on the shopify storefront.

I need some kind of customer-token (that shopify should provide in the storefront) that is unique, protected, expiring and verifiable, so that when this token is sent to my server in a request i could do process to assert "yes this token couldn't be fake and was generated by shopify storefront for this specific customer_id" or "no, this is an invalid token"

 

Hope the question is now clearer.

Thanks anyway for your efforts.

0 Likes
aledelgo
Shopify Partner
6 0 2

the customer-access-token require customer username/password to be created...

 

in my case, the customer is on the shopify platform and is already authenticated on the shopify store (or may be a custome of an order that haven't created any account.

 

any other solution?

0 Likes
travisreynolds
Shopify Partner
1 0 3

I have a similar situation - did you find a solution for this?

The only way I could think of was to make a dummy request to the Shopify API from my server using the provided customer token to check that it was still valid... A bit time consuming though.

aledelgo
Shopify Partner
6 0 2

not found any solution yet

0 Likes
abhisheksingh75
New Member
4 0 0

Hi Team, struggling with same situation..please reply if someone has solution arount it?

0 Likes