I need a way to securely authenticate the customer when he, trough my scripttag, make AJAX request to MY APPSERVER.
I mean that in the storefront cart or in the order_status_page i place a button that make an API request to my server. On my server, when the API is called, i need to know WHO the customer is (the customer_id is enough) and make sure it is not a tampered request.
Obviously i cannot accept request where customer_id is clear in the request body/query because anyone could spoof the request and make anonymous request altering the customer_id. I need a way to ensure the request come from a real and authenticated customer session on the shopify store.
How can i do this?
You can use http-only cookies to do this:
Could you explain it better?
I know how cookies works, but i'm not getting how this could help my case?
What cookie should i read/write to authenticate the current customer (that is facing the shopify cart / order_status pages) on my server?
How can i be certain that the ajax request is really made from the current customer?
Sorry should have elaborated more on that.
One possibility is to use JWT authentication per customer and store the data in an http-only cookie:
Then send the signed data in the request to your server.
Here are 2 decent resources on JWT authentication:
The implementation of this will be heavily dependent on how your app is set up/used.
There are also other ways to do this, so some one please correct if there is something better.
I'm sorry. It's now clear to me that my question is not clear at all :-D.
The problem is not how technically authenticate an user, i know many methods including cookies, jwt etc.
The problem is how, in the shopify storefront i could get some customer-handle data that could allow my server to verify and assert the request has been made from the customer on the shopify storefront.
I need some kind of customer-token (that shopify should provide in the storefront) that is unique, protected, expiring and verifiable, so that when this token is sent to my server in a request i could do process to assert "yes this token couldn't be fake and was generated by shopify storefront for this specific customer_id" or "no, this is an invalid token"
Hope the question is now clearer.
Thanks anyway for your efforts.
Have you tried using the customer access token:
the customer-access-token require customer username/password to be created...
in my case, the customer is on the shopify platform and is already authenticated on the shopify store (or may be a custome of an order that haven't created any account.
any other solution?
I have a similar situation - did you find a solution for this?
The only way I could think of was to make a dummy request to the Shopify API from my server using the provided customer token to check that it was still valid... A bit time consuming though.
Hi Team, struggling with same situation..please reply if someone has solution arount it?
I think first task is verify if call is made from Shopify, by using "signature verification".
Conceptually If end-user(not shop/merchant) makes call to your app and if you don't have that specific user account on your app you can not verify his/her identity, because only account you have on your app side is store/merchant account. So if you try to do any other user identity verification you have to make another call to Shopify from backend since that data only sits on Shopify.
And I hope calls from Shopify ui made from Shopify proxy
We used this approach:
With this, you could build a token with an hash key parsed by LIQUID engine (so is not visibile on the Frontend DOM and/or accessed in the JS files)
Then on your 3rd party service you could decrypt the token and compare if is matching with the hash key.