I was wondering if it was possible to use liquid to encrypt data that my app server can decrypt and validate. What I'm trying to achieve is a way to securely transfer the current logged in customer's info to my app server while preventing unauthorized submissions.
Consider an SSO App that uses logged in Shopify customer information to generate SSO Token on my application server and show a Button to redirect to my Website. If I can use liquid to encrypt the user info somehow, then my app can decrypt and validate the input to ensure Shopify created the user info.
Is there a better way to do this?
How secure does it need to be?
Perhaps you could store a metafield on the customer object that contains a unique token to form as the starting place. Metafield may not be the best place to store super secret things though. I’ve seen other methods of people using the sha256 string filters (and similar) to make a hash out of the customer ID+email+something. That’s could be a good baseline starting place for you too.
Liquid is not used to encrypt or decrypt data, nor is it used to transfer data to other domains. You are exclusively in the domain of JS scripting and working with your App server. Since all communications between the client and your server are HTTPS, you have TLS. So nothing going over the wire is open anyway. If you wanted to be able to claim you're even more clever, you could use your app to generate a salt and use that client-side to further encrypt using JS to run the algorithms. With that, you could decrypt the payload in your App.
JS is your buddy here. Use it wisely, and where you actually need it. Save yourself the trouble by not overthinking things!
We have our Single Sign On(SSO) App on shopify through which you can sign-in to your shopify store(Non plus and Plus) via IDP of your choice with support for multiple protocols like SAML, OAuth, etc. Please click here to check out our app
With modifications in our app we can help you to send data after encrypting over external server in a secure way and than you can decrypt data at your end by private key.