Some question crossed my mind that I could not find the answer for in the code (not too familiar with node/koa). So maybe someone can give me some pointer?
My guess is that this has been considered but I am missing something. I just want to understand that part well. Any starting point would be very much appreciated.
Hi there Dominik,
Liam here from Shopify, thanks for getting in touch! I don't believe there would be a vulnerability which would expose areas such as subscription billing, but the best place to ask might be on the repo of the team who deals with this directly. It's an open source project, so you should get an answer here from the correct team: https://github.com/Shopify/quilt/tree/master/packages/koa-shopify-graphql-proxy
Hope this helps Dominik- let us know if there's anything else I can help with,
I see that Tolgap replied in the issue- does his response answer your questions? If not, I can investigate further on my side.
No, Tolgap's answer did not help unfortunately. I skimmed through the code base and I know what the package does. Maybe I did not make myself clear enough. I'll try again:
I my assessment right that:
A reverse proxy (that augments incoming requests with API credentials and relays them to the Shopify Graphql Admin API), like koa-shopify-graphql-proxy, should not be used for production without an additional black/white listing component to prevent potentially unintended API use.
Or rephrased differently:
Using vanilla koa-shopify-graphql-proxy can a client issue refunds without any server interaction?
I will try to put this issue as respectfully as I can, but I feel like this comes down to a wrong API decision from Shopify.
In Unite 2019, you presented shopify-app-cli, a new command line tool to help you setup Shopify Apps for development. One of the options is to setup a Node-Koa-React-GraphQL style application.
With this style of application, you are encouraged to expose the Admin GraphQL api client (apollo-client) to the frontend so you can fetch data using Apollo in your interface. This works great for when you are editing, creating, updating or deleting anything related to your Storefront and Order management.
Within this same Admin GraphQL API, app developers are expected to setup subscription management for their paid apps. But seeing as the Node-Koa-React-GraphQL application setup from shopify-app-cli encourages you to expose the Admin GraphQL api client to your frontend, subscription management for paid apps are also under control of Shop owners.
When you expose the Admin GraphQL api client to your frontend, a shop owner will be able to use devtools/JS console to alter the amount of their subscription to $0.01, which will result in revenue loss for App Developers.
The core issue summarized: