FROM CACHE - en_header

Private App Authentication

Solved
JellySlater
New Member
1 0 0

So I've been developing a Chrome Extension that loads in an inventory from a given Shopify store. Currently it's a private app, as authentication was most convenient for me to develop with.

Chrome advises that for storage: "Confidential user information should not be stored! The storage area isn't encrypted." Per: Chrome storage

Given that the following is also true,
"Treat the API key and password like you would any other password, because whoever has access to these credentials has full API access to the store." Per:Private apps

It follows that I shouldn't store the API key, or API password.

However, I would somehow (if possible) like to be able to pull the API password (perhaps through some graphQL query) while only using the stores login information (Storename, store password; or perhaps Email+Password of a store admin), provided they already installed the private app with the appropriate permissions; and that this is within Shopifys terms of service.

If this is possible, any advice would be greatly appreciated or even a nudge in the more appropriate direction to development as I'm still very green in experience.  

Accepted Solution (1)

Accepted Solutions
Jason
Shopify Expert
10915 192 2190

This is an accepted solution.

That's not likely an approach you'd want to follow. Scraping data from the Admin once a merchant is logged in is risky, and likely against TOS. The Admin APIs are there for that purpose but will require proper auth and the extension isn't allowed to store that.

What's the reason for not making this an app?  I get that building as an extension can be easier at times since I've built a bunch myself.

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★

View solution in original post

Replies 2 (2)
Jason
Shopify Expert
10915 192 2190

This is an accepted solution.

That's not likely an approach you'd want to follow. Scraping data from the Admin once a merchant is logged in is risky, and likely against TOS. The Admin APIs are there for that purpose but will require proper auth and the extension isn't allowed to store that.

What's the reason for not making this an app?  I get that building as an extension can be easier at times since I've built a bunch myself.

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★
Jason
Shopify Expert
10915 192 2190

I would add that if you are ONLY pulling data rather than using content into the shop then look at the Storefront APIs instead. The auth for that API is public so probably wont be as problematic for google terms. I'm no lawyer of course.

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★