Storing sensitive information in Porducts metafields

eflouret · ‎07-12-2020

Hello,

Is it safe to store sensitive information in product metafields?

I don't mean any personal or financial customer information, but only information that can be accessed by those who purchased the product.

The information I want to store in the metafields isn't free and should be safe (download links, paid tutorials, etc.).

Thanks,

Enrique

HunkyBill · ‎07-12-2020

Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!

So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.

Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.

Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

View solution in original post

HunkyBill · ‎07-12-2020

Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!

So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.

Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.

Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

eflouret · ‎07-15-2020

Thanks HunkyBill for your descriptive reply, very much appreciated.

hexonsoft · ‎02-07-2021

Hello Sir, I have created 2 metafields using rest api using App #1.

But when I GET request from App #2 it shows the fields created by App #1.

Can you please tell me how to create metafields that can be read,update,delete by the APP only that created them.

HunkyBill · ‎02-07-2021

Look into private Metafields. I think that is what you might be interested in. They are only available to the App that created them.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

hexonsoft · ‎02-07-2021

Sir is there any documentation of private metafields ? please share the link and how to create them using Rest API ?

currently I am using this code to create metafields

$metafield = array (
"metafield" => array (
"namespace" => "hxs_lcs",
"key" => "hxs_lcs_api",
"value" => "LeopardsApiKey",
"value_type" => "string",
"description" => "this is hxs_lcs_api"
)
);

$url = "https://xxxxx:xxxxx@xxxxx.myshopify.com/admin/api/2021-01/metafields.json";

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($metafield));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($curl);
curl_close($curl);

but when i checked it can be access by other Apps.

Need help please

Regards

HunkyBill · ‎02-07-2021

You probably need to use the GraphQL API.

https://shopify.dev/docs/admin-api/graphql/reference/metafields/privatemetafield

Shopify is moving away from the RestAPI anyway, so this is a good time for you to get into the GraphQL version which is for the most part, very nice to use.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

Storing sensitive information in Porducts metafields

Shopify Community

Support

Shopify

Quick Links