Which Shopify Development Solution to use: Private App, Custom App, App Proxy...

Highlighted
Tourist
8 0 1

I'm trying to figure out if I should use a Private App, a Custom app, an app proxy...

My case is fairly simple. I want to send requests from the front-end client of my Shopify Store to my own external API. On that API Server, I want to verify with Shopify that the request came from an authenticated shopify user session, and identify that user.

From the client side of myshopifystore.com, call POST to api.myexternalserver.com/shopify/orderid to store some order data.

On api.myexternalserver.com, verify that the request comes from a user logged in to myshopifystore.com, and that orderid belongs to the authenticated user.

Thanks!

0 Likes
Highlighted
Shopify Partner
520 38 109

For such a use case I had a similar requirement. I created a private app, installed in it my Shopify shop, and the app itself includes an app proxy to forward along the API requests to my external API service. My Shopify shop's page code have a few jQuery requests that hit the app proxy, are validated and passed along to my external API service, and then return the response back to the Shopify shop's page.  

1 Like
Highlighted
Tourist
8 0 1

Thanks -- how were you validating the authenticated user the request was made from on your external server? And fetching info about them and their orders? Those are the details that would be really helpful for me.

0 Likes
Highlighted
Shopify Partner
520 38 109

The app proxy call from Shopify to your external API service comes with an HMAC signature, which you validate based on what's defined here --> https://shopify.dev/tutorials/display-data-on-an-online-store-with-an-application-proxy-app-extensio.... Then your external API service can retrieve Shopify order information using various API options --- REST API, GraphQL API, etc. See these links for some details --> https://shopify.dev/docs/admin-api/rest/reference and https://shopify.dev/docs/admin-api/graphql/reference  

0 Likes
Highlighted
Tourist
8 0 1

Thats helpful for validating that the request came from my shopify app, but if I understand correctly it doesn't provide any user session info correct? 

So if user_abc is logged in to my shopify app, and the app made a POST to my api to update order_123 -- how do I get information about that user (their orders etc) and verify that the user owns order_123? 

Thanks again!

0 Likes
Highlighted
Shopify Partner
520 38 109

If a customer is logged in then that would be handled in Liquid. The {% customer.id %} field value would identify them. And you could assign that value to a local variable, and pass it along through your app proxy in the JSON body in your request, pass it along as a query parameter, etc.   See here for a list of all Liquid objects available --> https://shopify.dev/docs/themes/liquid/reference/objects 

0 Likes
Highlighted
Tourist
8 0 1

I was thinking more of using session information from the user's authenticated session. 

Just using customer id as a parameter, one user could theoretically retrieve or edit another user's information through my API if they had the customer id, I think..

0 Likes
Highlighted
Shopify Partner
520 38 109

That's why you would utilize the app proxy. The HMAC signature the app proxy includes in its request can be verified once the call hits your external API endpoint. That way the bad guys couldn't just hijack things. Works fine in our production app.  

0 Likes