Understanding Private App Security

ben_eversfield
New Member
2 0 0

I'm in the process of building a Private App - I'm hoping someone can enlighten me on a security issue.

I have my app set up with a proxy, so calling

https://myshop.myshopify.com/apps/myapp/api/v1/endpoint

Hits my server at https://myapp.com/api/v1/endpoint

Logging the request, I see (sensitive stuff scrambled)

<Request 'https://myapp.com/api/v1/endpoint?shop=myshop.myshopify.com&path_prefix=%2Fapps%2Fmyapp&timestamp=16...' [GET]>

I can then take my app secret, combine it with the params in the request and generate the same signature, and then return a response.

My question is this - is it unavoidable/inherent/surely obvious that putting https://myshop.myshopify.com/apps/myapp/api/v1/endpoint into the URL bar of my browser should result in the succesful return of data. I'd thought, nively perhaps, that in the process of setting up the app and its proxy, that Shopify abstracted things so that entering that URL into the browser didn't work.

If that's the case, what steps do I take to prevent unauthorised access? Sure would be great if Shopify had a set of IP addresses I could whitelist...(they don't) 

Thanks,

Ben

 

 

0 Likes
_JB
Shopify Staff
Shopify Staff
750 86 163

Hey @ben_eversfield,

The purpose of using a proxy is to ensure your app only returns data for requests that originate from Shopify. So in other words, your app should _only_ return data when using the URL https://myshop.myshopify.com/apps/myapp/api/v1/endpoint, and any other requests should return an error due to an invalid signature.

The idea of using a proxy is to ensure bad actors can't hit your app's endpoint directly, allowing you to block all other requests to the app. Apps still need to take all the regular precautions with regards to sanitizing user input, and ensuring the app is secure when exposed to the internet. 

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
ben_eversfield
New Member
2 0 0

Hi JB

 

Right, I get that, but I can just put https://myshop.myshopify.com/apps/myapp/api/v1/endpoint into Postman/Requests etc and return the JSON data from the API. I'd expected that not to be the case.

How does substituting https://myapp.com/api with https://myshop.myshopify.com/apps/myapp/api help stop a bad actor?

It's true that the signature means that https://myapp.com/api no longer returns a response, and that's good, but simply calling  https://myshop.myshopify.com/apps/myapp/api gets over that issue.

Cheers,

Ben

0 Likes