I need a way to securely authenticate the customer when he, trough my scripttag, make AJAX request to MY APPSERVER.
I mean that in the storefront cart or in the order_status_page i place a button that make an API request to my server. On my server, when the API is called, i need to know WHO the customer is (the customer_id is enough) and make sure it is not a tampered request.
Obviously i cannot accept request where customer_id is clear in the request body/query because anyone could spoof the request and make anonymous request altering the customer_id. I need a way to ensure the request come from a real and authenticated customer session on the shopify store.
How can i do this?
Could you explain it better?
I know how cookies works, but i'm not getting how this could help my case?
What cookie should i read/write to authenticate the current customer (that is facing the shopify cart / order_status pages) on my server?
How can i be certain that the ajax request is really made from the current customer?
Sorry should have elaborated more on that.
One possibility is to use JWT authentication per customer and store the data in an http-only cookie:
Then send the signed data in the request to your server.
Here are 2 decent resources on JWT authentication:
The implementation of this will be heavily dependent on how your app is set up/used.
There are also other ways to do this, so some one please correct if there is something better.
I'm sorry. It's now clear to me that my question is not clear at all :-D.
The problem is not how technically authenticate an user, i know many methods including cookies, jwt etc.
The problem is how, in the shopify storefront i could get some customer-handle data that could allow my server to verify and assert the request has been made from the customer on the shopify storefront.
I need some kind of customer-token (that shopify should provide in the storefront) that is unique, protected, expiring and verifiable, so that when this token is sent to my server in a request i could do process to assert "yes this token couldn't be fake and was generated by shopify storefront for this specific customer_id" or "no, this is an invalid token"
Hope the question is now clearer.
Thanks anyway for your efforts.
I have a similar situation - did you find a solution for this?
The only way I could think of was to make a dummy request to the Shopify API from my server using the provided customer token to check that it was still valid... A bit time consuming though.