Security issues with shopify graphql-proxy? Could merchants change their own billing/subscription?

Highlighted
Shopify Partner
22 0 5

Hello,

 

I was exploring the idea of using an graphql proxy (like koa-shopify-graphql-proxy) for Shopify app development, e.g. as it was showcased in the Node.js and React tutorial.

 

Some question crossed my mind that I could not find the answer for in the code (not too familiar with node/koa). So maybe someone can give me some pointer?

 

  1. Isn't it dangerous, from a security point of view, to expose the the whole graphql admin API to the client?
  2. E.g. would this allow a bad actor/merchant to change the billing plan resp. the price of her own app subscriptions?

 

My guess is that this has been considered but I am missing something. I just want to understand that part well. Any starting point would be very much appreciated.

 

Cheers

 

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
635 16 203

Hi there Dominik, 

 

Liam here from Shopify, thanks for getting in touch! I don't believe there would be a vulnerability which would expose areas such as subscription billing, but the best place to ask might be on the repo of the team who deals with this directly. It's an open source project, so you should get an answer here from the correct team: https://github.com/Shopify/quilt/tree/master/packages/koa-shopify-graphql-proxy

 

In the meantime, you could also read through the Admin API docs, and the info on the NPM page for the Koa Shopify GraphQL proxy

 

Hope this helps Dominik- let us know if there's anything else I can help with,

 

Liam Griffin

 

Liam Griffin
Shopify | Developer Community Manager
0 Likes
Highlighted
Shopify Partner
22 0 5

Thanks @Liam

 

I immediately opened an issue (#1183) on GitHub as you suggested, but unfortunately haven't hear back since then. Could you poke someone/somewhere?

 

Cheers

Dominik

0 Likes
Highlighted
Shopify Staff
Shopify Staff
635 16 203

Hi @_Dominik_ 

 

I see that Tolgap replied in the issue- does his response answer your questions? If not, I can investigate further on my side.

 

Cheers,

 

Liam

Liam Griffin
Shopify | Developer Community Manager
0 Likes
Highlighted
Shopify Partner
22 0 5

Thank @Liam 

 

No, Tolgap's answer did not help unfortunately. I skimmed through the code base and I know what the package does. Maybe I did not make myself clear enough. I'll try again:

 

I my assessment right that:

A reverse proxy (that augments incoming requests with API credentials and relays them to the Shopify Graphql Admin API), like koa-shopify-graphql-proxy, should not be used for production without an additional black/white listing component to prevent potentially unintended API use.

 

Or rephrased differently:

Using vanilla koa-shopify-graphql-proxy can a client issue refunds without any server interaction?

 

Cheers

Dominik

0 Likes
Highlighted
Shopify Partner
22 0 5

There is now one valid comment on the github issue and it is sharing my concerns. So I really would appreciate if someone from Shopify could answer this with some authority and knowledge. 

0 Likes
Highlighted
Shopify Partner
66 5 26

@_Dominik_ @Liam 

 

I will try to put this issue as respectfully as I can, but I feel like this comes down to a wrong API decision  from Shopify.

 

In Unite 2019, you presented shopify-app-cli, a new command line tool to help you setup Shopify Apps for development. One of the options is to setup a Node-Koa-React-GraphQL style application.

 

With this style of application, you are encouraged to expose the Admin GraphQL api client (apollo-client) to the frontend so you can fetch data using Apollo in your interface. This works great for when you are editing, creating, updating or deleting anything related to your Storefront and Order management.

 

Within this same Admin GraphQL API, app developers are expected to setup subscription management for their paid apps. But seeing as the Node-Koa-React-GraphQL application setup from shopify-app-cli encourages you to expose the Admin GraphQL api client to your frontend, subscription management for paid apps are also under control of Shop owners.

 

When you expose the Admin GraphQL api client to your frontend, a shop owner will be able to use devtools/JS console to alter the amount of their subscription to $0.01, which will result in revenue loss for App Developers.

 

The core issue summarized:

 

  1. Shopify Node-Koa-React-GraphQL apps setup encourages you to expose the Admin GraphQL api to frontend-clients of your app
  2. App developers use this same GraphQL Admin api to manage billing of their app
  3. Exposing this API to shop owners, will allow them to change billing properties of the app installed
  4. Can result into Shop owners altering their subscription line items to $0.01, or even giving themselves app credits to not have to pay for the app anymore
  5. This is seems like a big API flaw, and I (or we) would appreciate if a Shopify API developer could look into these concerns from @_Dominik_ and me. I hope I'm wrong through!
1 Like
Highlighted
Shopify Partner
3 0 0

@LiamI am noticing this as well. It's been some time and I still don't see an answer to this question here or on the related github repos. Can someone please address this?

0 Likes