Proxy Apps Customer Auth problems

savchukoleksii
Shopify Partner
9 0 11

Hi, community members.

Today I would like to raise a question that remains unanswered. The question is:

How can we identify customers in our embeded Proxy App?

 Now Shopify have not common solution for this problem though community has ask this question many times. Here is just a couple post on this forum I found and dated, when it was posted:

  1. Proxy APP that uses logged in user info / 02-03-2015
  2. Current best way to get logged in customer id / 02-21-2019
  3. Anyway I can find out customer ID of logged in customer on app proxy / 06-04-2014 
  4. Feature Request: Authenticated Customer IDs in proxied pages / 07-12-2015
  5. Customer authentication for app proxy / 08-24-2018
  6. Customer information in external app / 10-19-2013
  7. How to send logged in customer's email address to my app? / 03-28-2015
  8. Shopify app proxy show user related data / 01-27-2018
  9. Getting the logged in user Id via an app proxy / 09-17-2013

After I did the research, I realized that at the moment there is no solution in Shopify for this. And I decided to look for a solution on the Internet. I found an Securing customer pages with a Shopify app proxy by Gavin Ballard. As the application prohibits the use of cookies and headers for security reasons, developers must find a solution on their own. Because of all the limitations, the only solution is Query Based Auth, but in this way we leave a huge security hole in our application. Gavin has great solution, but even with all securing methods we still have this hole. At the end of article he has proposed more safe and the better solution for this problem.

 

With every proxied request Shopify passes along to your application, it adds a shop query parameter to help your application identify the store the request is coming from.

In addition to this, Shopify could pass along the ID of any customer that’s currently logged in to the storefront, either along with the shop parameter in the query string or as a custom HTTP header (perhaps X-Shopify-Customer-Id).

Doing this would greatly simplify the authentication progress for all customer pages where it’s required that a customer is logged in to their account. Pages that require authentication without a customer login (such as order tracking pages) would still need to use a URL-based method, but it would be possible to
reduce the risk of information leakage by doing something like still requiring a customer account login after a certain amount of time has passed.

And I agree with him. I decided to contact the developers and this is what they said:

They are aware of this being requested, and will look into implementing this in the future. If we see enough demand over existing development projects, and if we see more requests come in for the same solution from other developers this will increase the priority of the feature being implemented.

I urge all application developers who develop Shopify applications to support me and store owners who want to protect their users' data in the Proxy App from being stolen. I am always open for discussion and will be glad to talk about this with other developers and members of the Shopify community.

jhcao23
Excursionist
31 1 10

but how can we set the 'X-Shopify-Customer-Id' in the header within liquid page? shopify official page about 'App Proxy' doesn't mention how to set http header for proxy request, sadly...

0 Likes