Using private and public app together -where to store the private app password?

Solved
gdavisdesign
Tourist
5 0 0

To allow storefront access to my app (via app proxy), I had to create a public app – but the app is using my private app credentials to make the api calls on the server. None of the POST requests on the front-end show these credentials, but will hard-coding the credentials into my app (on the server) be a security risk? Since the app will be hosted on heroku or some other server, it seems like it should be fine, since the website client is POSTing into the server. The server runs the query to process the POST request and sends a response back to the client.

 

Is this is the proper way to run API requests in a private app and use the app proxy?

Accepted Solution (1)

Accepted Solutions
Busfox
Shopify Staff (Retired)
Shopify Staff (Retired)
628 49 107

This is an accepted solution.

Hi @gdavisdesign,

 

I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.

 

Cheers,

Andrew | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Replies 2 (2)
Busfox
Shopify Staff (Retired)
Shopify Staff (Retired)
628 49 107

This is an accepted solution.

Hi @gdavisdesign,

 

I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.

 

Cheers,

Andrew | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

gdavisdesign
Tourist
5 0 0

Hello @Busfox ,

Thank you for the advice – I'll use the config vars.

 

Thanks!