Partners and Developers

Could you explain it better?

I know how cookies works, but i'm not getting how this could help my case?

What cookie should i read/write to authenticate the current customer (that is facing the shopify cart / order_status pages) on my server?
How can i be certain that the ajax request is really made from the current customer?

Sorry should have elaborated more on that.

One possibility is to use JWT authentication per customer and store the data in an http-only cookie:

Then send the signed data in the request to your server.

Here are 2 decent resources on JWT authentication:

https://blog.logrocket.com/jwt-authentication-best-practices/

https://dev.to/siwalikm/what-the-heck-is-jwt-anyway--47hg

The implementation of this will be heavily dependent on how your app is set up/used. 

There are also other ways to do this, so some one please correct if there is something better.

I'm sorry. It's now clear to me that my question is not clear at all :-D.

The problem is not how technically authenticate an user, i know many methods including cookies, jwt etc.

The problem is how, in the shopify storefront i could get some customer-handle data that could allow my server to verify and assert the request has been made from the customer on the shopify storefront.

I need some kind of customer-token (that shopify should provide in the storefront) that is unique, protected, expiring and verifiable, so that when this token is sent to my server in a request i could do process to assert "yes this token couldn't be fake and was generated by shopify storefront for this specific customer_id" or "no, this is an invalid token"

Hope the question is now clearer.

Thanks anyway for your efforts.

Have you tried using the customer access token:

https://help.shopify.com/en/api/storefront-api/guides/updating-customers#creating-an-access-token

the customer-access-token require customer username/password to be created...

in my case, the customer is on the shopify platform and is already authenticated on the shopify store (or may be a custome of an order that haven't created any account.

any other solution?

I have a similar situation - did you find a solution for this?

The only way I could think of was to make a dummy request to the Shopify API from my server using the provided customer token to check that it was still valid... A bit time consuming though.

not found any solution yet

Hi Team, struggling with same situation..please reply if someone has solution arount it?

I think first task is verify if call is made from Shopify, by using "signature verification".

Conceptually If end-user(not shop/merchant) makes call to your app and if you don't have that specific user account on your app you can not verify his/her identity, because only account you have on your app side is store/merchant account. So if you try to do any other user identity verification you have to make another call to Shopify from backend since that data only sits on Shopify.

And I hope calls from Shopify ui made from Shopify proxy

https://shopify.dev/apps/auth/oauth#verification