Request: Proxy Apps Customer Auth

Highlighted
Shopify Partner
9 0 11

Here just copy of topic: Proxy Apps Customer Auth problems

Hi, community members.

Today I would like to raise a question that remains unanswered. The question is:

How can we identify customers in our embeded Proxy App?

 Now Shopify have not common solution for this problem though community has ask this question many times. Here is just a couple post on this forum I found and dated, when it was posted:

  1. Proxy APP that uses logged in user info / 02-03-2015
  2. Current best way to get logged in customer id / 02-21-2019
  3. Anyway I can find out customer ID of logged in customer on app proxy / 06-04-2014 
  4. Feature Request: Authenticated Customer IDs in proxied pages / 07-12-2015
  5. Customer authentication for app proxy / 08-24-2018
  6. Customer information in external app / 10-19-2013
  7. How to send logged in customer's email address to my app? / 03-28-2015
  8. Shopify app proxy show user related data / 01-27-2018
  9. Getting the logged in user Id via an app proxy / 09-17-2013

After I did the research, I realized that at the moment there is no solution in Shopify for this. And I decided to look for a solution on the Internet. I found an Securing customer pages with a Shopify app proxy by Gavin Ballard. As the application prohibits the use of cookies and headers for security reasons, developers must find a solution on their own. Because of all the limitations, the only solution is Query Based Auth, but in this way we leave a huge security hole in our application. Gavin has great solution, but even with all securing methods we still have this hole. At the end of article he has proposed more safe and the better solution for this problem.

 

With every proxied request Shopify passes along to your application, it adds a shop query parameter to help your application identify the store the request is coming from.

In addition to this, Shopify could pass along the ID of any customer that’s currently logged in to the storefront, either along with the shop parameter in the query string or as a custom HTTP header (perhaps X-Shopify-Customer-Id).

Doing this would greatly simplify the authentication progress for all customer pages where it’s required that a customer is logged in to their account. Pages that require authentication without a customer login (such as order tracking pages) would still need to use a URL-based method, but it would be possible to
reduce the risk of information leakage by doing something like still requiring a customer account login after a certain amount of time has passed.

And I agree with him. I decided to contact the developers and this is what they said:

They are aware of this being requested, and will look into implementing this in the future. If we see enough demand over existing development projects, and if we see more requests come in for the same solution from other developers this will increase the priority of the feature being implemented.

I urge all application developers who develop Shopify applications to support me and store owners who want to protect their users' data in the Proxy App from being stolen. I am always open for discussion and will be glad to talk about this with other developers and members of the Shopify community.

5 Likes
Highlighted
Shopify Partner
9 0 2

Hi 

 

 

If you could combine this with the current time, one could have a valid authenticating solution, similar to Javascript Web Tokens. 

Sadly, the current way to get the time serverside in liquid is this :

 

{{'now' | date: '%s' }}

And it does not give the current time, but due to caching it will give the last time the template was rendered by Shopify. So it's not usable for authentication.

1 Like
Highlighted
Shopify Partner
9 0 2

Hi,

Sorry skip the last time remark. This won't work.

0 Likes
Highlighted
Shopify Partner
9 0 2

Hello savchukoleksii

 

Me again! I think I found another way of doing this, please check this thread and tell me your remarks:

 

https://community.shopify.com/c/Shopify-APIs-SDKs/Using-a-customerAccessToken-for-authenticating-ser...

0 Likes
Highlighted
Shopify Partner
9 0 11

Hi. This solution is not suit to my needs. All must be done on Shopify and Apps backend, because in another way it not secure for customers. The best solution to add header on Shopify request like `customer-id`, but developers response that they have more important things to do.

1 Like
Highlighted
Shopify Partner
9 0 2

Hi!

 

Did you also read the part about proxying the create customer?

I do it like this: when clicking create customer, I send a post request via javascript to create a customer to my app instead of submit to shopify.

My app creates the customer on the shopify Admin API and then creates a JSON Web token for the customer id and returns it to the customer.

This token can be saved and sent with every request to my app.

 

When the user logs in, first the frontend javascript also does a request to my app, with the username / password. My app does a request to the storefront api (doesn't share this info with the frontend) to see if its a valid customer. After this it also creates a token with the customerid and sends it to the frontend.

 

I think this is a more secure way. 

(the create a customer form in liquid is now a login form so the customer is logged in after creating).

 

0 Likes
Highlighted
Shopify Partner
9 0 11
It is also bad solution, because for example API controllers can not be done with javascript. More preferable way to use Shopify supported things that can not be exploit by hackers, because it automatically add by Shopify
0 Likes
Highlighted
Shopify Partner
9 0 2

Hi!

 

I don't understand what you mean by API controllers can not be done with javascript, could you elaborate please?

By the way, yes of course Shopify should have a cleaner solution, but they haven't, so we have got to find a solution.

 

Human

0 Likes
Highlighted
Shopify Partner
9 0 11

I use Gavin Ballard's solution right now. And add query params using Javascript if I need to identify user. For users without javascript enabled I just render noscript tag with info that app require JavaScript. I use Yii2 on the backend on my app, so I write controllers that supports liquid response and customer AuthClass with use X-Loggined-Customer header. Also it wraps every response of liquid in if statement to check all in Liquid. I do something like this right now, but in every request I need to pass in get params right signature and customer_id. Urls does not look well, but this is the most secure solution for now.

0 Likes
Highlighted
Shopify Partner
9 0 11

Today I noticed that header are not passed with request at all. Solution does not work anymore

0 Likes