So I'm creating an app where I want the shop owners to store some information in the app (e.g. html code that gets loaded via a script tag into the shop). That means when a shop owner installs the app they get an edit code field within the app. The code they're editing is then stored into a database. How would I prevent another app user (or malicious third party) to edit any shops html code? My understanding is that unless I have any form of user creation process, everybody who figures out the backend endpoint could just send a request to it (using a shop origin that is not theirs) and edit the html code of every shop.
And further if I have a user creation form within the app couldn't that be exploited as well? E.g. Malicious party figures out where the sign-up endpoint is and creates a user linked to a shop that is not theirs so now they have access to the edit code endpoint?
I hope somebody can help me clarify this since I'm not sure if I understand it correctly.
It sounds as if your endpoints don't validate that the user making the request is actually who they say they are. You should probably do that by requiring that your endpoints check for a secret for each verified user.