FROM CACHE - en_header

Authenticating customers in theme app extension

Solved
wristbands
Shopify Partner
18 3 2
‎03-14-2023 06:15 PM

Hey so we are developing a theme app extension, which creates an app block that will be used for customers to enter in additional account information. Our app block will send a request containing the additional information to our backend app server, which will use the Shopify Admin API to insert the data on behalf of the customer.

 

However, our problem is we want to make sure that each customer can only add additional information for their own account, not for other customers' accounts. To do this, we need some way of authenticating each customer in their request. Is there some way of accessing a customer's session token and verifying that it is valid in our backend app server? Would Access tokens for the Storefront API be relevant?

 

Thanks,
Elias

341 Views
0 Likes
Report
Accepted Solution (1)
wristbands
Shopify Partner
18 3 2
‎03-24-2023 12:17 PM

This is an accepted solution.

I was able to figure it out. You have to use App Proxies.

 

Once you set that up, you can determine the ID of the logged in user who sent the request by reading the `logged_in_customer_id` query parameter, and you can make sure that the request came from Shopify by verifying the `signature` query parameter. For a Node.js app, you can verify the signature using the shopify-application-proxy-verification npm library.

 

Hope that helps anyone in a similar situation!

View solution in original post

264 Views
0 Likes
Report
Replies 2 (2)
EcomGraduates
Shopify Partner
588 48 63
‎03-22-2023 08:52 PM

In order to authenticate each customer and ensure they can only add additional information for their own account, you can make use of Shopify's API authentication features.

Specifically, you can use the Shopify Admin API to obtain a session token for each customer when they log in. This token can then be passed along with each request to your backend app server, which can verify the token's validity and use it to perform actions on behalf of the customer.

Access tokens for the Storefront API would not be relevant in this case, as they are used for accessing storefront data rather than authenticating customer requests.

 

You have a business to run. Let us handle the theme.
115+ ★★★★★ star reviews
Check Out Our New Theme -Ecomify
Do you need help building a brand?
284 Views
0 Likes
Report
wristbands
Shopify Partner
18 3 2
‎03-24-2023 12:17 PM

This is an accepted solution.

I was able to figure it out. You have to use App Proxies.

 

Once you set that up, you can determine the ID of the logged in user who sent the request by reading the `logged_in_customer_id` query parameter, and you can make sure that the request came from Shopify by verifying the `signature` query parameter. For a Node.js app, you can verify the signature using the shopify-application-proxy-verification npm library.

 

Hope that helps anyone in a similar situation!

265 Views
0 Likes
Report

Community Blog Articles

31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
crowd-participating-at-event.jpg
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
24-09-19241-65844.png
Introduction to Shopify Sales Channels

Photo by Marco Verch Sales channels on Shopify are various platforms where you can sell...

By Ollie May 25, 2023
Terms of Service Privacy Policy