I'm in the process of building a Private App - I'm hoping someone can enlighten me on a security issue.
I have my app set up with a proxy, so calling
Hits my server at https://myapp.com/api/v1/endpoint
Logging the request, I see (sensitive stuff scrambled)
I can then take my app secret, combine it with the params in the request and generate the same signature, and then return a response.
My question is this - is it unavoidable/inherent/surely obvious that putting https://myshop.myshopify.com/apps/myapp/api/v1/endpoint into the URL bar of my browser should result in the succesful return of data. I'd thought, nively perhaps, that in the process of setting up the app and its proxy, that Shopify abstracted things so that entering that URL into the browser didn't work.
If that's the case, what steps do I take to prevent unauthorised access? Sure would be great if Shopify had a set of IP addresses I could whitelist...(they don't)
The purpose of using a proxy is to ensure your app only returns data for requests that originate from Shopify. So in other words, your app should _only_ return data when using the URL https://myshop.myshopify.com/apps/myapp/api/v1/endpoint, and any other requests should return an error due to an invalid signature.
The idea of using a proxy is to ensure bad actors can't hit your app's endpoint directly, allowing you to block all other requests to the app. Apps still need to take all the regular precautions with regards to sanitizing user input, and ensuring the app is secure when exposed to the internet.
Right, I get that, but I can just put https://myshop.myshopify.com/apps/myapp/api/v1/endpoint into Postman/Requests etc and return the JSON data from the API. I'd expected that not to be the case.