Partners and Developers

andrenaught · ‎03-04-2019

Im using the Storefront API with React as the front end, I can get the customer access token when they login. What is the best way to store this access token? Local Storage? If I use a Node server is there a more secure way of doing it? Are JSON web tokens a possible solution?

This token is pretty much as critical as a customer's password right? Since you can technically make orders just by using it with the checkoutCustomerAssociateV2 mutation

akshay1stmain · ‎09-20-2019

Hi @andrenaught
Did you ever figure this out? I'm currently trying to do the same thing React + Storefront API and want to know how to maintain the user's session.

andrenaught · ‎09-23-2019

I would just go ahead and use localstorage, following this: https://help.shopify.com/en/api/storefront-api/guides/updating-customers#creating-an-access-token. Whatever you do there will be an access token on the client's computer anyways, there is no way around that. The important part is that the token eventually expires, If the token isn't valid anymore (expired), then log the user out.

Just reuse this token when making requests to the shopify API. Like here: https://help.shopify.com/en/api/storefront-api/guides/updating-customers#updating-the-address

If you want to make it expire sooner you can probably use customerAccessTokenDelete (like run it 2 weeks before the expiry date, though the client can spoof their own time so if you want to do this premature token deletion you would do this server side against server time)

akshay1stmain · ‎09-24-2019

Thanks @andrenaught

Have you ever explored using an http-only cookie?

I've got a React app that is talking directly to the Storefront API right now. But I'm thinking about bringing in an Express server that functions as an auth middleware of sorts.

Thoughts? What's your setup like?