Which Shopify Development Solution to use: Private App, Custom App, App Proxy...

wildabeast
Excursionist
16 0 9

I'm trying to figure out if I should use a Private App, a Custom app, an app proxy...

My case is fairly simple. I want to send requests from the front-end client of my Shopify Store to my own external API. On that API Server, I want to verify with Shopify that the request came from an authenticated shopify user session, and identify that user.

From the client side of myshopifystore.com, call POST to api.myexternalserver.com/shopify/orderid to store some order data.

On api.myexternalserver.com, verify that the request comes from a user logged in to myshopifystore.com, and that orderid belongs to the authenticated user.

Thanks!

Replies 7 (7)

Gregarican
Shopify Partner
1033 86 285

For such a use case I had a similar requirement. I created a private app, installed in it my Shopify shop, and the app itself includes an app proxy to forward along the API requests to my external API service. My Shopify shop's page code have a few jQuery requests that hit the app proxy, are validated and passed along to my external API service, and then return the response back to the Shopify shop's page.  

wildabeast
Excursionist
16 0 9

Thanks -- how were you validating the authenticated user the request was made from on your external server? And fetching info about them and their orders? Those are the details that would be really helpful for me.

Gregarican
Shopify Partner
1033 86 285

The app proxy call from Shopify to your external API service comes with an HMAC signature, which you validate based on what's defined here --> https://shopify.dev/tutorials/display-data-on-an-online-store-with-an-application-proxy-app-extensio.... Then your external API service can retrieve Shopify order information using various API options --- REST API, GraphQL API, etc. See these links for some details --> https://shopify.dev/docs/admin-api/rest/reference and https://shopify.dev/docs/admin-api/graphql/reference  

wildabeast
Excursionist
16 0 9

Thats helpful for validating that the request came from my shopify app, but if I understand correctly it doesn't provide any user session info correct? 

So if user_abc is logged in to my shopify app, and the app made a POST to my api to update order_123 -- how do I get information about that user (their orders etc) and verify that the user owns order_123? 

Thanks again!

Gregarican
Shopify Partner
1033 86 285

If a customer is logged in then that would be handled in Liquid. The {% customer.id %} field value would identify them. And you could assign that value to a local variable, and pass it along through your app proxy in the JSON body in your request, pass it along as a query parameter, etc.   See here for a list of all Liquid objects available --> https://shopify.dev/docs/themes/liquid/reference/objects 

wildabeast
Excursionist
16 0 9

I was thinking more of using session information from the user's authenticated session. 

Just using customer id as a parameter, one user could theoretically retrieve or edit another user's information through my API if they had the customer id, I think..

Gregarican
Shopify Partner
1033 86 285

That's why you would utilize the app proxy. The HMAC signature the app proxy includes in its request can be verified once the call hits your external API endpoint. That way the bad guys couldn't just hijack things. Works fine in our production app.