Re: Request: Proxy Apps Customer Auth

Solved

Request: Proxy Apps Customer Auth

savchukoleksii
Shopify Partner
9 0 16

Here just copy of topic: Proxy Apps Customer Auth problems

Hi, community members.

Today I would like to raise a question that remains unanswered. The question is:

How can we identify customers in our embeded Proxy App?

 Now Shopify have not common solution for this problem though community has ask this question many times. Here is just a couple post on this forum I found and dated, when it was posted:

  1. Proxy APP that uses logged in user info / 02-03-2015
  2. Current best way to get logged in customer id / 02-21-2019
  3. Anyway I can find out customer ID of logged in customer on app proxy / 06-04-2014 
  4. Feature Request: Authenticated Customer IDs in proxied pages / 07-12-2015
  5. Customer authentication for app proxy / 08-24-2018
  6. Customer information in external app / 10-19-2013
  7. How to send logged in customer's email address to my app? / 03-28-2015
  8. Shopify app proxy show user related data / 01-27-2018
  9. Getting the logged in user Id via an app proxy / 09-17-2013

After I did the research, I realized that at the moment there is no solution in Shopify for this. And I decided to look for a solution on the Internet. I found an Securing customer pages with a Shopify app proxy by Gavin Ballard. As the application prohibits the use of cookies and headers for security reasons, developers must find a solution on their own. Because of all the limitations, the only solution is Query Based Auth, but in this way we leave a huge security hole in our application. Gavin has great solution, but even with all securing methods we still have this hole. At the end of article he has proposed more safe and the better solution for this problem.

 

With every proxied request Shopify passes along to your application, it adds a shop query parameter to help your application identify the store the request is coming from.

In addition to this, Shopify could pass along the ID of any customer that’s currently logged in to the storefront, either along with the shop parameter in the query string or as a custom HTTP header (perhaps X-Shopify-Customer-Id).

Doing this would greatly simplify the authentication progress for all customer pages where it’s required that a customer is logged in to their account. Pages that require authentication without a customer login (such as order tracking pages) would still need to use a URL-based method, but it would be possible to
reduce the risk of information leakage by doing something like still requiring a customer account login after a certain amount of time has passed.

And I agree with him. I decided to contact the developers and this is what they said:

They are aware of this being requested, and will look into implementing this in the future. If we see enough demand over existing development projects, and if we see more requests come in for the same solution from other developers this will increase the priority of the feature being implemented.

I urge all application developers who develop Shopify applications to support me and store owners who want to protect their users' data in the Proxy App from being stolen. I am always open for discussion and will be glad to talk about this with other developers and members of the Shopify community.

Accepted Solution (1)

Luke_K
Shopify Staff
402 66 102

This is an accepted solution.

Hi all,

 

Shopify here with an update - we're looking for interested partners to sign up for a beta that will include the Customer ID for logged in customers as a parameter in the forwarded query for App Proxy Requests.

 

Folks that are interested in this beta can contact Partner Support to express interest via their Partner Dashboard here

 

Many thanks!

 

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!

View solution in original post

Replies 35 (35)

Human
Shopify Partner
9 0 2

Hi 

 

 

If you could combine this with the current time, one could have a valid authenticating solution, similar to Javascript Web Tokens. 

Sadly, the current way to get the time serverside in liquid is this :

 

{{'now' | date: '%s' }}

And it does not give the current time, but due to caching it will give the last time the template was rendered by Shopify. So it's not usable for authentication.

Human
Shopify Partner
9 0 2

Hi,

Sorry skip the last time remark. This won't work.

Human
Shopify Partner
9 0 2

Hello savchukoleksii

 

Me again! I think I found another way of doing this, please check this thread and tell me your remarks:

 

https://community.shopify.com/c/Shopify-APIs-SDKs/Using-a-customerAccessToken-for-authenticating-ser...

savchukoleksii
Shopify Partner
9 0 16

Hi. This solution is not suit to my needs. All must be done on Shopify and Apps backend, because in another way it not secure for customers. The best solution to add header on Shopify request like `customer-id`, but developers response that they have more important things to do.

Human
Shopify Partner
9 0 2

Hi!

 

Did you also read the part about proxying the create customer?

I do it like this: when clicking create customer, I send a post request via javascript to create a customer to my app instead of submit to shopify.

My app creates the customer on the shopify Admin API and then creates a JSON Web token for the customer id and returns it to the customer.

This token can be saved and sent with every request to my app.

 

When the user logs in, first the frontend javascript also does a request to my app, with the username / password. My app does a request to the storefront api (doesn't share this info with the frontend) to see if its a valid customer. After this it also creates a token with the customerid and sends it to the frontend.

 

I think this is a more secure way. 

(the create a customer form in liquid is now a login form so the customer is logged in after creating).

 

savchukoleksii
Shopify Partner
9 0 16
It is also bad solution, because for example API controllers can not be done with javascript. More preferable way to use Shopify supported things that can not be exploit by hackers, because it automatically add by Shopify
Human
Shopify Partner
9 0 2

Hi!

 

I don't understand what you mean by API controllers can not be done with javascript, could you elaborate please?

By the way, yes of course Shopify should have a cleaner solution, but they haven't, so we have got to find a solution.

 

Human

savchukoleksii
Shopify Partner
9 0 16

I use Gavin Ballard's solution right now. And add query params using Javascript if I need to identify user. For users without javascript enabled I just render noscript tag with info that app require JavaScript. I use Yii2 on the backend on my app, so I write controllers that supports liquid response and customer AuthClass with use X-Loggined-Customer header. Also it wraps every response of liquid in if statement to check all in Liquid. I do something like this right now, but in every request I need to pass in get params right signature and customer_id. Urls does not look well, but this is the most secure solution for now.

savchukoleksii
Shopify Partner
9 0 16

Today I noticed that header are not passed with request at all. Solution does not work anymore

rgagnon
Shopify Partner
2 0 0

I have the same needs.  I have talked to Shopify Plus Live chat about this.  They are referring me here.  

 

They don't look open to add an http header to the proxy.

 

 

rgdevstack
Visitor
2 0 0

I also need this feature as I don't have control to the Shopify store where my proxy app is installed. I specifically need the email or customer id of a logged-in user. Hope Shopify do something about this.

jig_r
Shopify Partner
33 0 7

I also need this, a year later is there a solution for this?

I was going to resort to adding the customer ID as a custom header but looks like the header is stripped from the request according to others?  

JamesAB
Excursionist
18 0 9

Any news on this? Our Shopify clients are requesting SSO integration with Shopify, but only insecure hacks are somewhat able to accomplish it.

Shopify: why not pass a JWT in the header when passing the proxy pages?

Romash
Tourist
4 0 4

Thanks for bringing this up. Same here, we need a solution for customer identification in our app.

Eduardo12
Shopify Partner
12 0 3

Seconding that Shopify needs to implement a secure solution to this problem. All it would take is for them to forward the customer id as a query parameter or in the headers on the initial proxy request.

PeanutButter
Shopify Partner
387 68 184

Same here.  Shopify, this needs to be addressed.  Why not pass along the ID of any currently logged on customer?

Peanut Butter Collective | Shopify Experts
- Was my reply helpful? Please Like and Accept Solution.
- Want to customize and improve your store? Hire us.
- Feel free to contact me us hello@peanutbutter.es

Luke_K
Shopify Staff
402 66 102

This is an accepted solution.

Hi all,

 

Shopify here with an update - we're looking for interested partners to sign up for a beta that will include the Customer ID for logged in customers as a parameter in the forwarded query for App Proxy Requests.

 

Folks that are interested in this beta can contact Partner Support to express interest via their Partner Dashboard here

 

Many thanks!

 

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
onspruce
Shopify Partner
13 0 3

Hi,

 

Re: https://shopify.dev/changelog/app-proxy-requests-include-new-parameter-for-the-logged-in-customer-id

 

I am not seeing the new logged_in_customer_id parameter in the forwarded app proxy requests as of 7/7/22.  Also the app proxy specifications and documentation have not been updated to mention it:

 

https://shopify.dev/apps/online-store/app-proxies

 

Can you please let us know if this was implemented or released?

bretto36
Shopify Partner
5 0 2

Yes i'd also like to know where this is, it's been 5 days and still nothing @Luke_K 

simonebogni
Shopify Partner
2 0 1

I would also like an answer from the Shopify team.

 

I tested it yesterday on a development store.

 

Within the proxy app I logged all the parameters passed in the query and all the HTTP headers (just in case).

 

The new parameter that should have been automatically available since 05/07/2022 is nowhere to be found.

 

The only parameters that I see in the request are the shop, the timestamp, the signature and the path.

 

I'd be happy if a member of the Shopify support team could look into it and explain how to get it, as we have some applications being developed that rely on the customer id being sent to the proxy in the first place.

 

Thank you.

Luke_K
Shopify Staff
402 66 102

Hey all,

 

We had to revert the initial rollout of this the App Proxy Customer Id functionality due to an unexpected bug.

 

We've now reverted the rollout and are pushing a resolution imminently. 

 

We'll reach out on this thread once the fix has fully rolled out to production. Apologies for the confusion!

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
jig_r
Shopify Partner
33 0 7
Amazing news! Thanks for the updates.

I wonder if that means I don’t need my work around anymore.
Luke_K
Shopify Staff
402 66 102

Hey all, 

 

Please note that we resolved the issue with the new App Proxy logged_in_customer_id parameter and a fix has been pushed out to production.  We've also updated the Dev Docs concerning logged_in_customer_id

 

Let us know if any further trouble 👍 Thanks!

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
rogala
Visitor
2 0 2

There is something wrong with this. The logged_in_customer_id is coming through empty. I thought it had to do with the release yesterday, so I checked requests today. When I calculate the hash, it does not match up. How should this be handled? Also, the documentation does not specify how to handle null values. Thanks!

rogala
Visitor
2 0 2

If anyone runs into a request where the logged_in_customer_id is empty, then it still is included in the sorted_params from the example:

 

# => "extra=1,2logged_in_customer_id=path_prefix=/apps/awesome_reviewsshop=shop-name.myshopify.comtimestamp=1317327555"

 

 

geobertz
Shopify Partner
27 0 22

Same problem with me, i always get a mismatch in the signature 😞

geobertz
nick-lobue
Shopify Partner
7 0 0

Did you ever come to a solution on this? Having the same issue when hitting the app proxy through my hydrogen app.

bretto36
Shopify Partner
5 0 2

I'm able to get the customer fine these days. I'm using laravel and i can do 

$request->get('logged_in_customer_id')

which is the same as $_GET['logged_in_customer_id']

can you post some code for us to help

nick-lobue
Shopify Partner
7 0 0

I am also having some issues here. I have a logged in customer on my Hydrogen app via the Customer API. When attempting a request through the proxy the logged_in_customer_id comes back empty.

I have also attempted this without the Customer API, using the old customer id with the same result. 

Once the customer logs in on the hyrdogen app I use the "fetch" function call which forwards the existent headers with the request.

Could you maybe provide further information on how you're constructing the request to the proxy? Perhaps I am missing something on that end. 

simone_bogni
Shopify Partner
9 0 7

In the case of Laravel, like in bretto36's case, the logged_in_customer_id data is one of the query string parameters that Shopify add to the forwarded request when you use a proxy.

The $_GET[...] array and the $request->get(...) method check the query string.

In Express you would use something like req.query.logged_in_customer_id.

I'm not very familiar with Hydrogen at the moment, but are you getting the other query parameters that are added (shop, timestamp, signature, etc.)?

If not, are you completely sure you have configured the route to be a proxy?

nick-lobue
Shopify Partner
7 0 0

Appreciate the follow up, I am getting the other query parameters. 

Wondering if the request I am forwarding its the issue. As I understand it, logged_in_customer_id should not be forwarded to the proxy as that parameter is determined by the proxy. Is that the correct assumption?

simone_bogni
Shopify Partner
9 0 7

As far as I'm aware (and please consider I'm talking about the regular proxy app - I don't know enough Hydrogen to help there), that is something that the Shopify layer is sending you automatically and you are not supposed to add it to the request.

 

For clarity, I'm adding an example. And I'm sorry if it's stuff that you are already doing 😅

 

Let's say that you have a route available at myexamplesite.com/proxy/getcolors, the proxy app is configured so that /apps/proxy redirects to myexamplesite.com/proxy.

 

Then on your product page test.myshopify.com/products/shirt you do a GET request to test.myshopify.com/apps/proxy/getcolors?product_id=1234.

 

The request goes directly to Shopify (Shopify product page -> Shopify proxy service), which keeps the original format, and adds to the request &shop=test.myshopify.com&logged_in_customer_id=15677&timestamp=...&etc. before forwarding the updated request to myexamplesite.com/proxy/getcolors

nick-lobue
Shopify Partner
7 0 0

Hmm yeah, this sounds like it is exactly what I'm doing. The only missing piece would be the headers and cookie of the GET request. Would you happen to have those?

 

I appreciate the example!

simone_bogni
Shopify Partner
9 0 7

Cookies forwarding is not supported. The "Cookie" header from the request and the response is stripped by the Shopify proxy layer, according a note in the doc (https://shopify.dev/docs/apps/online-store/app-proxies#handling-proxy-requests).

 

As for the headers, the proxy layer adds X-Forwarded-For, which represents the client IP address.

 

At https://shopify.dev/docs/apps/online-store/app-proxies#disallowed-headers you can find a list of other headers that are not allowed and that are stripped from the response for security reasons.

nick-lobue
Shopify Partner
7 0 0

I believe the origin headers tell the proxy how to calculate the logged in customer id. Otherwise, I could see no way in which that value is derived