Request: Proxy Apps Customer Auth

Solved
savchukoleksii
Shopify Partner
9 0 15

Here just copy of topic: Proxy Apps Customer Auth problems

Hi, community members.

Today I would like to raise a question that remains unanswered. The question is:

How can we identify customers in our embeded Proxy App?

 Now Shopify have not common solution for this problem though community has ask this question many times. Here is just a couple post on this forum I found and dated, when it was posted:

  1. Proxy APP that uses logged in user info / 02-03-2015
  2. Current best way to get logged in customer id / 02-21-2019
  3. Anyway I can find out customer ID of logged in customer on app proxy / 06-04-2014 
  4. Feature Request: Authenticated Customer IDs in proxied pages / 07-12-2015
  5. Customer authentication for app proxy / 08-24-2018
  6. Customer information in external app / 10-19-2013
  7. How to send logged in customer's email address to my app? / 03-28-2015
  8. Shopify app proxy show user related data / 01-27-2018
  9. Getting the logged in user Id via an app proxy / 09-17-2013

After I did the research, I realized that at the moment there is no solution in Shopify for this. And I decided to look for a solution on the Internet. I found an Securing customer pages with a Shopify app proxy by Gavin Ballard. As the application prohibits the use of cookies and headers for security reasons, developers must find a solution on their own. Because of all the limitations, the only solution is Query Based Auth, but in this way we leave a huge security hole in our application. Gavin has great solution, but even with all securing methods we still have this hole. At the end of article he has proposed more safe and the better solution for this problem.

 

With every proxied request Shopify passes along to your application, it adds a shop query parameter to help your application identify the store the request is coming from.

In addition to this, Shopify could pass along the ID of any customer that’s currently logged in to the storefront, either along with the shop parameter in the query string or as a custom HTTP header (perhaps X-Shopify-Customer-Id).

Doing this would greatly simplify the authentication progress for all customer pages where it’s required that a customer is logged in to their account. Pages that require authentication without a customer login (such as order tracking pages) would still need to use a URL-based method, but it would be possible to
reduce the risk of information leakage by doing something like still requiring a customer account login after a certain amount of time has passed.

And I agree with him. I decided to contact the developers and this is what they said:

They are aware of this being requested, and will look into implementing this in the future. If we see enough demand over existing development projects, and if we see more requests come in for the same solution from other developers this will increase the priority of the feature being implemented.

I urge all application developers who develop Shopify applications to support me and store owners who want to protect their users' data in the Proxy App from being stolen. I am always open for discussion and will be glad to talk about this with other developers and members of the Shopify community.

Accepted Solution (1)

Accepted Solutions
L_J_K
Shopify Staff
Shopify Staff
400 64 81

This is an accepted solution.

Hi all,

 

Shopify here with an update - we're looking for interested partners to sign up for a beta that will include the Customer ID for logged in customers as a parameter in the forwarded query for App Proxy Requests.

 

Folks that are interested in this beta can contact Partner Support to express interest via their Partner Dashboard here

 

Many thanks!

 

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!

View solution in original post

Replies 17 (17)
Human
Shopify Partner
9 0 2

Hi 

 

 

If you could combine this with the current time, one could have a valid authenticating solution, similar to Javascript Web Tokens. 

Sadly, the current way to get the time serverside in liquid is this :

 

{{'now' | date: '%s' }}

And it does not give the current time, but due to caching it will give the last time the template was rendered by Shopify. So it's not usable for authentication.

Human
Shopify Partner
9 0 2

Hi,

Sorry skip the last time remark. This won't work.

Human
Shopify Partner
9 0 2

Hello savchukoleksii

 

Me again! I think I found another way of doing this, please check this thread and tell me your remarks:

 

https://community.shopify.com/c/Shopify-APIs-SDKs/Using-a-customerAccessToken-for-authenticating-ser...

savchukoleksii
Shopify Partner
9 0 15

Hi. This solution is not suit to my needs. All must be done on Shopify and Apps backend, because in another way it not secure for customers. The best solution to add header on Shopify request like `customer-id`, but developers response that they have more important things to do.

Human
Shopify Partner
9 0 2

Hi!

 

Did you also read the part about proxying the create customer?

I do it like this: when clicking create customer, I send a post request via javascript to create a customer to my app instead of submit to shopify.

My app creates the customer on the shopify Admin API and then creates a JSON Web token for the customer id and returns it to the customer.

This token can be saved and sent with every request to my app.

 

When the user logs in, first the frontend javascript also does a request to my app, with the username / password. My app does a request to the storefront api (doesn't share this info with the frontend) to see if its a valid customer. After this it also creates a token with the customerid and sends it to the frontend.

 

I think this is a more secure way. 

(the create a customer form in liquid is now a login form so the customer is logged in after creating).

 

savchukoleksii
Shopify Partner
9 0 15
It is also bad solution, because for example API controllers can not be done with javascript. More preferable way to use Shopify supported things that can not be exploit by hackers, because it automatically add by Shopify
Human
Shopify Partner
9 0 2

Hi!

 

I don't understand what you mean by API controllers can not be done with javascript, could you elaborate please?

By the way, yes of course Shopify should have a cleaner solution, but they haven't, so we have got to find a solution.

 

Human

savchukoleksii
Shopify Partner
9 0 15

I use Gavin Ballard's solution right now. And add query params using Javascript if I need to identify user. For users without javascript enabled I just render noscript tag with info that app require JavaScript. I use Yii2 on the backend on my app, so I write controllers that supports liquid response and customer AuthClass with use X-Loggined-Customer header. Also it wraps every response of liquid in if statement to check all in Liquid. I do something like this right now, but in every request I need to pass in get params right signature and customer_id. Urls does not look well, but this is the most secure solution for now.

savchukoleksii
Shopify Partner
9 0 15

Today I noticed that header are not passed with request at all. Solution does not work anymore

rgagnon
Shopify Partner
2 0 0

I have the same needs.  I have talked to Shopify Plus Live chat about this.  They are referring me here.  

 

They don't look open to add an http header to the proxy.

 

 

rgdevstack
New Member
2 0 0

I also need this feature as I don't have control to the Shopify store where my proxy app is installed. I specifically need the email or customer id of a logged-in user. Hope Shopify do something about this.

jig_r
Shopify Partner
26 1 6

I also need this, a year later is there a solution for this?

I was going to resort to adding the customer ID as a custom header but looks like the header is stripped from the request according to others?  

JamesAB
Excursionist
18 0 9

Any news on this? Our Shopify clients are requesting SSO integration with Shopify, but only insecure hacks are somewhat able to accomplish it.

Shopify: why not pass a JWT in the header when passing the proxy pages?

Romash
Tourist
4 0 1

Thanks for bringing this up. Same here, we need a solution for customer identification in our app.

Eduardo12
Shopify Partner
12 0 6

Seconding that Shopify needs to implement a secure solution to this problem. All it would take is for them to forward the customer id as a query parameter or in the headers on the initial proxy request.

PeanutButter
Shopify Partner
375 67 169

Same here.  Shopify, this needs to be addressed.  Why not pass along the ID of any currently logged on customer?

Peanut Butter Collective | Shopify Experts
- Was my reply helpful? Please Like and Accept Solution.
- Want to customize and improve your store? Hire us.
- Feel free to contact me us hello@peanutbutter.es
L_J_K
Shopify Staff
Shopify Staff
400 64 81

This is an accepted solution.

Hi all,

 

Shopify here with an update - we're looking for interested partners to sign up for a beta that will include the Customer ID for logged in customers as a parameter in the forwarded query for App Proxy Requests.

 

Folks that are interested in this beta can contact Partner Support to express interest via their Partner Dashboard here

 

Many thanks!

 

| Shopify |
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!