Prevent information leakage from different shops

pat0x00
Shopify Partner
6 0 0

So I'm creating an app where I want the shop owners to store some information in the app (e.g. html code that gets loaded via a script tag into the shop). That means when a shop owner installs the app they get an edit code field within the app. The code they're editing is then stored into a database. How would I prevent another app user (or malicious third party) to edit any shops html code? My understanding is that unless I have any form of user creation process, everybody who figures out the backend endpoint could just send a request to it (using a shop origin that is not theirs) and edit the html code of every shop. 

And further if I have a user creation form within the app couldn't that be exploited as well? E.g. Malicious party figures out where the sign-up endpoint is and creates a user linked to a shop that is not theirs so now they have access to the edit code endpoint?

 

I hope somebody can help me clarify this since I'm not sure if I understand it correctly.

 

Thanks

Replies 2 (2)

EugeneKim
Shopify Partner
60 3 27

😬

It sounds as if your endpoints don't validate that the user making the request is actually who they say they are. You should probably do that by requiring that your endpoints check for a secret for each verified user.

pat0x00
Shopify Partner
6 0 0

Well I actually do but the problem is the sign-up process since I don't know how to link a created user to their shopify store in a secure way.