App reviews, troubleshooting, and recommendations
So I'm creating an app where I want the shop owners to store some information in the app (e.g. html code that gets loaded via a script tag into the shop). That means when a shop owner installs the app they get an edit code field within the app. The code they're editing is then stored into a database. How would I prevent another app user (or malicious third party) to edit any shops html code? My understanding is that unless I have any form of user creation process, everybody who figures out the backend endpoint could just send a request to it (using a shop origin that is not theirs) and edit the html code of every shop.
And further if I have a user creation form within the app couldn't that be exploited as well? E.g. Malicious party figures out where the sign-up endpoint is and creates a user linked to a shop that is not theirs so now they have access to the edit code endpoint?
I hope somebody can help me clarify this since I'm not sure if I understand it correctly.
Thanks
😬
It sounds as if your endpoints don't validate that the user making the request is actually who they say they are. You should probably do that by requiring that your endpoints check for a secret for each verified user.
Well I actually do but the problem is the sign-up process since I don't know how to link a created user to their shopify store in a secure way.
Portrait of Stephen positioned next to an image of planet Earth, with the Stephen's World ...
By JasonH Mar 18, 2024Digital marketers and app developers have tracked activity in apps and websites for yea...
By Ollie Mar 13, 2024February was an exciting month with Shopify Editions, informative webinars, and more! F...
By JasonH Mar 7, 2024