Dedicated to the Hydrogen framework, headless commerce, and building custom storefronts using the Storefront API.
I'm working on a Shopify App that is intended to be used by users of a specific CMS to bring their products and collections into the CMS. That will be paired with the Storefront API to offer a headless-style cart before redirecting the user to Shopify's hosted checkout to pay.
The app is set up as a Sales Channel App so the user can control which products/collections are published to it. It will use the Admin Rest API to sync products/collections, probably with a webhook to get notified of when.
The thing I'm struggling with are the App URLs in Shopify. Users will install the plugin on their own self-hosted websites. The App URL and Allowed redirection URLs are therefore different for each user.
I am currently considering building an "authentication proxy service" website/webapp where users still install the plugin on their own self-hosted website, and start the authentication with a request to that proxy. The proxy's URLs could then be hardcoded in the Shopify App setup, and the proxy keeps its own information about which Shopify shop belongs to which website.
The downsides of that approach:
(1) The proxy would end up getting some level of access to each of the stores. I can limit this, for example by only passing oauth authentication codes directly back to the self-hosted plugin (i.e. the proxy service doesn't get an access token to query the shop that way), but it still becomes a potential point of failure and security concern for users trying to authenticate, and for users that are accessing the app from the Shopify admin.
(2) Rather than a nice self-contained package that only runs on the users' own infrastructure, I'll have to end up building and maintaining a separate service too. That wasn't quite part of the goal and is a big deterrent to going this route.
Is there any way around the hardcoded URLs and need for an authentication proxy? Some kind of authentication option for self-hosted plugins I'm overlooking? There are similar plugins for other CMSes so I feel like this ought to be a solved problem, but I'm coming up blank.