OAuth delegate token exposed client side?

Michaël_G_
Shopify Expert
73 0 52

I've initially posted this topic in the Shopify Apps forum but actually the API is more suited. Sorry for the duplicate.

Hi,

I've seen the new feature of delegate token for OAuth (https://help.shopify.com/api/guides/authentication/oauth#delegating-access-to-subsystems).

I have a question regarding this: due to the fact that it's unable to retrieve products, collections, pages... in an Embedded SDK app, we've created our own proxy micro-service that does the API call and returns the data to our JavaScript app.

However this is one more service to host and maintain. Therefore, we've thought that, whenver a user authenticate, we generate a new delegate token with read only permissions, and send this token to the JS app. As a consequence, instead of calling our micro-service, we would directly hit Shopify API using this delegate token. One service less, better latency...

The fact that the token can do uninstall is not really an issue, as the merchant can uninstall the app anyway. However I'd like to know if there are any security issue I may not have thought. Especially, I'm afraid that this token can add, edit or even remove any app webhook that we register (which could lead to non-functional app).

It would actually be super useful if we could create a read-only delegate token that would remove any capabilities for write permissions (so uninstall, webhook...). Therefore it would become quite safe to embed it in client side.

Thanks!

Replies 10 (10)
Michaël_G_
Shopify Expert
73 0 52

Hi,

I've made some testing of this and definitely, it does not seem safe to expose in client side. Endpoints like webhooks can be called, webhooks can be added, removed...

I'd definitely love if you could add a new setting to this endpoint, maybe a new option "allow_administrative_tasks", and if set to false, it would make ALL other endpoints (except the one specified by the new token) not possible.

That would therefore make this token safe to be exposed :).

Michaël_G_
Shopify Expert
73 0 52

Up on this one :(. I'd love to have a feedback from this from Shopify and if there are plans to improve this feature.

Michaël_G_
Shopify Expert
73 0 52

Up again... Sorry for pinging this again, but I'd love to know if there are more news, we're still lookign to drop our micro-service that just proxy Shopify resources (or at least give us a way to retrieve products, collections, articles, pages... in JS!)

HunkyBill
Shopify Expert
4763 54 548

You answered your own question here. You should *NEVER* expose an access token client-side. If you want to do any client-side data access use an App Proxy to secure your callback. That way you expose yourself to as few security risks as possible.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Michaël_G_
Shopify Expert
73 0 52

Yes :).

However if it removed all the permissions like registering webhooks, uninstalling apps... those tokens could be used directly in JS for read purpose only.

HunkyBill
Shopify Expert
4763 54 548

I think merchants are already exposed enough. You can read any product and all its details without any access tokens, so that you can see things you are probably not supposed to see (at least when weak Apps are used). Example include hidden variants and wholesale prices. A lot of Apps are susceptible to showing off the innards of a business, and there is nothing you can do. 

Adding the ability to read collections, and pages, and articles, etc would just complicate matters. I think we're lucky there is already so much latitude in availability. 

Also, it is a common pattern to use Liquid to render all the assets of a shop in JSON to special layouts, only accessible to certain calls. You could just render everything that way. Render JSON for your JS framework to turn that data into a nice experience. 

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Michaël_G_
Shopify Expert
73 0 52

Actually I may have expressed myself wrong.

The idea here is not to use that token on a public store, but really just on the app. For instance I have an app where I want to provide a search of products. What I've done for that is that I automatically install Liquid templates that return JSON, but that causes some issues:

* If the shop has a password, I cannot do the call (https://my-store.myshopify.com/search?view=my-custom-templates).

* I cannot retrieve a single resource (like one collection).

Therefore it's not exposing more the merchant, as it's just accessing its own data (ideally, the embedded SDK should have methods to be able to retrieve collections, products, pages... based on the app permissions).

HunkyBill
Shopify Expert
4763 54 548

Whatever it is you're having trouble with, you're on your own now. This whole thread is a mess. You have an embedded App in a shop, you can have every resource imaginable at your fingertips in that App provided you asked for and were granted all the needed scopes. 

Has nothing to do with JS or any client-side code. Exposing resources to the front-end without Shopify rendering Liquid is done through an App Proxy if you insist on making XHR callbacks.

That is all I can grok from your problem. English sucks.

 

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
Michaël_G_
Shopify Expert
73 0 52

No problem, thanks for your assistance.

PS: I'm not a native, sorry for the incorrect English, I'm trying as hard as I can!

HunkyBill
Shopify Expert
4763 54 548

I meant my english... yours was fine.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com