A space to discuss online store customization, theme development, and Liquid templating.
I have an external API web service that interfaces with Shopify via several different methods. And these are connected via a registered Shopify private app.
For example...a product that's selected in a Shopify page's IFrame is pushed into my web service in order to then create the Shopify product and add it to the customer's cart. Everything functionally works fine. The Shopify page's Javascript receives the IFrame's product push, then the Shopify page's Javascript forwards that dataset to my web service, then my web service creates the product and passes back the Shopify Product ID, and finally the Shopify page's Javascript reads that value and adds it to the customer's cart.
The issue that I would like to clean up involves the Shopify page's Javascript contacting my web service. I am using Java web tokens, but even then those tokens have a certain lifespan. And anyone reviewing my Shopify page's underlying code could determine the JWT and have open access to my API web service during that timeframe. As my web service internally hides the various endpoint API credentials I'm looking for a way to somehow leverage something server-side in Shopify to perform these external API calls. So that the client Javascript doesn't handle them.
From all I've read, I realize that Shopify isn't meant for this. Any suggestions as to best handle what I'm looking to do?
Solved! Go to the solution
This is an accepted solution.
This was worked around through creating a private app proxy (https://help.shopify.com/api/embedded-apps/app-extensions/online-store/application-proxies). I validate the signature from the proxy call, and that in turn is used to issue a JWT from my third-party app.
The lack of response leads me to believe this isn't doable. Which I've come to understand delving more into this. Which leads me to a second question.
Is there any way to store and reference a unique identifier on the Shopify back-end? I was trying to reference the 'now' Liquid variable, but have learned that this only reflects the current timestamp when the template was rendered. I've searched for any Liquid reference to a unique Session ID, but have come up empty.
In short, my Shopify Javascript client needs to authenticate against a third-party API resource. And I want to hide the authentication mechanism as much as possible...
This is an accepted solution.
This was worked around through creating a private app proxy (https://help.shopify.com/api/embedded-apps/app-extensions/online-store/application-proxies). I validate the signature from the proxy call, and that in turn is used to issue a JWT from my third-party app.
sorry for picking a very old thread, however I was wondering if you were able to make the third party call successfully through javascript. I am not yet concerned on hiding the API key but to first be able to make that call. I am trying to make a call to remove.bg but stuck with 400 error code for quite some time... my request parameter seems to be correct
@Propero , yes I was able to work through things by using the Shopify app proxy to hit my third party endpoint. I validate the HMAC signature that the app proxy call automatically includes, have my third party endpoint provide the response, and that response is then handled by the Shopify JavaScript on the front end.
sorry to bring this post back to life but.. ajax post requests don't seem to be going through on my end. I'm able to successfully do GET requests but I keep getting "Bad Request" errors when trying to post data from my shopify store to my backend service.
Is there a particular step I'm missing here? Last year using action and method attributes of the form tag would work when it came to sending data to the backend, and now I can't seem to find any way to achieve this again