I was wondering if it was possible to use liquid to encrypt data that my app server can decrypt and validate. What I'm trying to achieve is a way to securely transfer the current logged in customer's info to my app server while preventing unauthorized submissions.
Consider an SSO App that uses logged in Shopify customer information to generate SSO Token on my application server and show a Button to redirect to my Website. If I can use liquid to encrypt the user info somehow, then my app can decrypt and validate the input to ensure Shopify created the user info.
Is there a better way to do this?
How secure does it need to be?
Perhaps you could store a metafield on the customer object that contains a unique token to form as the starting place. Metafield may not be the best place to store super secret things though. I’ve seen other methods of people using the sha256 string filters (and similar) to make a hash out of the customer ID+email+something. That’s could be a good baseline starting place for you too.
Liquid is not used to encrypt or decrypt data, nor is it used to transfer data to other domains. You are exclusively in the domain of JS scripting and working with your App server. Since all communications between the client and your server are HTTPS, you have TLS. So nothing going over the wire is open anyway. If you wanted to be able to claim you're even more clever, you could use your app to generate a salt and use that client-side to further encrypt using JS to run the algorithms. With that, you could decrypt the payload in your App.
JS is your buddy here. Use it wisely, and where you actually need it. Save yourself the trouble by not overthinking things!
We have our Single Sign On(SSO) App on shopify through which you can sign-in to your shopify store(Non plus and Plus) via IDP of your choice with support for multiple protocols like SAML, OAuth, etc. Please click here to check out our app
With modifications in our app we can help you to send data after encrypting over external server in a secure way and than you can decrypt data at your end by private key.
Wish the CTO of shopify would read this and hear the concerns:
Im looking to see ways to encrypt the payload in liquid and pass to my app and decrypt it. Its disappointing that its not handled by shopify directly. Also really no ssl .... glad we have plus after reading this article.
It remains to be seen if this is a real problem or not. So far, no one has suffered too much. The problem as you see it is that a bad actor can simply impersonate a reasonable call to the Proxy by just sending a request with whatever payload they want. There is no solid cure for that save for having Shopify ensure the logged-in customer ID is provided in a spoof-free manner.
One thing to remember too is that App Proxy is by no means restricted to being used to get customer information. So in a lot of cases, you're dealing with rando anonymous customers anyway, so for Shopify it does add a bit of overhead to every call. They are "aware" that a call is to a Proxy. Why should they also be aware if "this" call is for a logged-in customer or not? Does it in fact slow things down, even more, to have to make that decision? So for all those Proxy calls where you do not have any reason to give a rats butt about security, all you want is SPEED.
I think people already complain Proxy is slow. Imagine now you slow down even more by trying to add more "overhead" to it. Not the simplest of problems now is it?
Sure its easy. Add some config option in the custom app proxy to pass it. Leave it up to the developer if they want to trade performance for security.
You could probably write up a nice blog post. If your "company", hired some other company, to "implement your store", whatever that means, and it took you 5 minutes to bypass "security", it really is only impressive if that is actually impressive. Share what that store was, what platform it was, and how you blew through security.
Not at all sure what you are getting at, your shorts all in a knot over meagre little App Proxy that almost no one uses for much, but sure, OK... like discussed. It really only matters in a small subset of cases, where you'd be surfacing private info to nefarious sources, and yes, we agree, perhaps Shopify could nail this down tighter, but there are plenty of bigger fish to fry. I doubt they will do much with Proxy other than one day replace it with something better, or, fix it a little to remove the existing bugs, and perhaps tighten security.