1) I get current customer_id and product_id by the ShopifyAnalytics.meta.page object. Is this object always available regardless the template selected? If not, what is the best pratice for retrieving the current user and product?
2) Clearly the ajax call to manage information (create, delete, list) on the external service is not safe. Users can inspect the page and find all they need to reproduce the calls on postman or any other http client. Is there a suggested way for this kind of integration?
So I should
ask the shop owner to insert a script into their template to use liquid
variables. Or can I do that directly through the app?
That's up to you. You can do it programatically with the asset API. Don't forget to remove the code when the app is uninstalled.