Is it possible to use liquid to encrypt data that my app server can decrypt and validate?

inflex13
New Member
1 0 1

I was wondering if it was possible to use liquid to encrypt data that my app server can decrypt and validate. What I'm trying to achieve is a way to securely transfer the current logged in customer's info to my app server while preventing unauthorized submissions.

 

Consider an SSO App that uses logged in Shopify customer information to generate SSO Token on my application server and show a Button to redirect to my Website. If I can use liquid to encrypt the user info somehow, then my app can decrypt and validate the input to ensure Shopify created the user info.

Is there a better way to do this?

 

Thanks

Jason
Shopify Expert
10294 146 1949

How secure does it need to be?

Perhaps you could store a metafield on the customer object that contains a unique token to form as the starting place. Metafield may not be the best place to store super secret things though. I’ve seen other methods of people using the sha256 string filters (and similar) to make a hash out of the customer ID+email+something. That’s could be a good baseline starting place for you too.

I jump on these forums to help and share some insights. Not looking to be hired, and not looking for work.

Don't hand out staff invites or give admin password to forum members unless absolutely needed. In most cases the help you need can be handled without that.


★ http://freakdesign.com.au ★
0 Likes
HunkyBill
Shopify Expert
4490 45 485

Liquid is not used to encrypt or decrypt data, nor is it used to transfer data to other domains. You are exclusively in the domain of JS scripting and working with your App server. Since all communications between the client and your server are HTTPS, you have TLS. So nothing going over the wire is open anyway. If you wanted to be able to claim you're even more clever, you could use your app to generate a salt and use that client-side to further encrypt using JS to run the algorithms. With that, you could decrypt the payload in your App.

 

JS is your buddy here. Use it wisely, and where you actually need it. Save yourself the trouble by not overthinking things!

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
manish22
Tourist
13 0 1

Hello,

You can integrate javascript on the storefront through which you can send information on your server after encrypting it . Encryption can be done either through any private key or you can also hash the information before sending it over to your external server.

We have our Single Sign On(SSO) App on shopify through which you can sign-in to your shopify store(Non plus and Plus) via IDP of your choice with support for multiple protocols like SAML, OAuth, etc. Please click here to check out our app

With modifications in our app we can help you to send data after encrypting over external server in a secure way and than you can decrypt data at your end by private key. 

Thanks,

Manish 

0 Likes
GeorgeHoffman
New Member
8 0 0

I have the same concern as should anyone with any background in security. There are some serious gaps in shopify security. Javascript and client side methods are easily hacked. When you have an app proxy we construct the url in liquid and call it with ajax on the browser. If we have to pass customer ID then its very easy for any logged in user to change the parameter and impersonate another customer assuming they guess enough customer IDs. Validating the request came from shopify is not enough. Its better to somehow encrypt the parameters in liquid and pass via ajax then decrypt on the remote app server. Anything else will not pass a security penetration test. A hacker would not be able to create the encrypted payload. Of course you have to embed your encryption key or hashing key directly in liquid templates that are viewable by every developer and their mother.

Wish the CTO of shopify would read this and hear the concerns:

https://gavinballard.com/securing-customer-pages-shopify-app-proxy/

Im looking to see ways to encrypt the payload in liquid and pass to my app and decrypt it. Its disappointing that its not handled by shopify directly. Also really no ssl .... glad we have plus after reading this article.

0 Likes
HunkyBill
Shopify Expert
4490 45 485

It remains to be seen if this is a real problem or not. So far, no one has suffered too much. The problem as you see it is that a bad actor can simply impersonate a reasonable call to the Proxy by just sending a request with whatever payload they want. There is no solid cure for that save for having Shopify ensure the logged-in customer ID is provided in a spoof-free manner.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
GeorgeHoffman
New Member
8 0 0

Yes that at least would be something. Seems reasonable that shopify would have some ability to pass along the customer id in some secure manner rather than every app having to figure out how to validate it.

0 Likes
HunkyBill
Shopify Expert
4490 45 485

One thing to remember too is that App Proxy is by no means restricted to being used to get customer information. So in a lot of cases, you're dealing with rando anonymous customers anyway, so for Shopify it does add a bit of overhead to every call. They are "aware" that a call is to a Proxy. Why should they also be aware if "this" call is for a logged-in customer or not? Does it in fact slow things down, even more, to have to make that decision? So for all those Proxy calls where you do not have any reason to give a rats butt about security, all you want is SPEED.

I think people already complain Proxy is slow. Imagine now you slow down even more by trying to add more "overhead" to it. Not the simplest of problems now is it?

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
GeorgeHoffman
New Member
8 0 0

Sure its easy. Add some config option in the custom app proxy to pass it. Leave it up to the developer if they want to trade performance for security.

Most developers will just implement their apps incorrectly and insecurely. We hired a company to implement our store. I was able to bypass their "security" within 5 minutes with fiddler. I have several years of experience as a security champion at a large investment bank. I conduct security training for developers. I look at these things. I've found developers who consider security are an exception rather than the norm. Its ridiculously easy to bypass anything client side and as much as I have dug there are very few server side hooks in Shopify that allow access to custom apps. If we are meant to do everything in javascript we have to bend over backwards to make the application secure. 

0 Likes
HunkyBill
Shopify Expert
4490 45 485

You could probably write up a nice blog post. If your "company", hired some other company, to "implement your store", whatever that means, and it took you 5 minutes to bypass "security", it really is only impressive if that is actually impressive. Share what that store was, what platform it was, and how you blew through security.

Not at all sure what you are getting at, your shorts all in a knot over meagre little App Proxy that almost no one uses for much, but sure, OK... like discussed. It really only matters in a small subset of cases, where you'd be surfacing private info to nefarious sources, and yes, we agree, perhaps Shopify could nail this down tighter, but there are plenty of bigger fish to fry. I doubt they will do much with Proxy other than one day replace it with something better, or, fix it a little to remove the existing bugs, and perhaps tighten security.

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes