ScriptTag best practice and safety

alexlarocca
Visitor
2 0 0

Hi,

I just started to develop (PHP) a public app that loads a remote javascript (ScriptTag). This insert a button on the product page and when the user click it some information are sent to an external rest service. I need your feedback about the following issues:

1) I get current customer_id and product_id by the ShopifyAnalytics.meta.page object. Is this object always available regardless the template selected? If not, what is the best pratice for retrieving the current user and product?

2) Clearly the ajax call to manage information (create, delete, list) on the external service is not safe. Users can inspect the page and find all they need to reproduce the calls on postman or any other http client. Is there a suggested way for this kind of integration?

Thanks,

Alessandro

Replies 3 (3)

SBD_
Shopify Staff
1829 269 405

Hey @alexlarocca 

1) That object might change. Best to pull these IDs with liquid (customer.id, product.id)

2) What does the app do?

Scott | Developer Advocate @ Shopify 

alexlarocca
Visitor
2 0 0
Hi, I changed the scope of my app. Now it only tracks the customer
navigation (view product, change variant, add to cart, ...) for
marketing purposes.

In order to get the product_id and customer_id, instead of retrieving these
from the Shopify object, you suggest to pull these with liquid. So I should
ask the shop owner to insert a script into their template to use liquid
variables. Or can I do that directly through the app?

Thanks
Alessandro
SBD_
Shopify Staff
1829 269 405
So I should
ask the shop owner to insert a script into their template to use liquid
variables. Or can I do that directly through the app?

That's up to you. You can do it programatically with the asset API. Don't forget to remove the code when the app is uninstalled. 

Scott | Developer Advocate @ Shopify