What's your biggest current challenge? Have your say in Community Polls along the right column.
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Storing sensitive information in Porducts metafields

Solved

Storing sensitive information in Porducts metafields

eflouret
Tourist
13 0 3

Hello,

Is it safe to store sensitive information in product metafields?

I don't mean any personal or financial customer information, but only information that can be accessed by those who purchased the product.

The information I want to store in the metafields isn't  free and should be safe (download links, paid tutorials, etc.).

Thanks,

Enrique

Accepted Solution (1)

HunkyBill
Shopify Partner
4853 60 568

This is an accepted solution.

Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!

 

So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.

 

Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.

 

Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

View solution in original post

Replies 6 (6)

HunkyBill
Shopify Partner
4853 60 568

This is an accepted solution.

Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!

 

So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.

 

Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.

 

Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
eflouret
Tourist
13 0 3

Thanks HunkyBill for your descriptive reply, very much appreciated.

hexonsoft
Shopify Partner
7 0 3

Hello Sir, I have created 2 metafields using rest api using App #1.

But when I GET request from App #2 it shows the fields created by App #1.

Can you please tell me how to create metafields that can be read,update,delete by the APP only that created them.

HunkyBill
Shopify Partner
4853 60 568

Look into private Metafields. I think that is what you might be interested in. They are only available to the App that created them.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
hexonsoft
Shopify Partner
7 0 3

Sir is there any documentation of private metafields ? please share the link and how to create them using Rest API ?

currently I am using this code to create metafields 

 

$metafield = array (
"metafield" => array (
"namespace" => "hxs_lcs",
"key" => "hxs_lcs_api",
"value" => "LeopardsApiKey",
"value_type" => "string",
"description" => "this is hxs_lcs_api"
)
);

$url = "https://xxxxx:xxxxx@xxxxx.myshopify.com/admin/api/2021-01/metafields.json";

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($metafield));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($curl);
curl_close($curl);

 

 

but when i checked it can be access by other Apps.

Need help please

Regards

HunkyBill
Shopify Partner
4853 60 568

You probably need to use the GraphQL API.

https://shopify.dev/docs/admin-api/graphql/reference/metafields/privatemetafield

Shopify is moving away from the RestAPI anyway, so this is a good time for you to get into the GraphQL version which is for the most part, very nice to use.

 

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com