Encrypt/Decrypt in a custom admin block / extension

Encrypt/Decrypt in a custom admin block / extension

midavis
Shopify Partner
9 0 0

I am creating a link inside of an admin block that will take a user to the product page.  Inside of the query string I am appending the user id of the logged in staff member.  I will be using this to load extra script on the page.  I want to encrypt this id and then decrypt it later when requesting data via an app proxy.  How can I encrypt/decrypt inside of an admin block and an extension?

Reply 1 (1)

DaisyVo
Shopify Partner
2848 342 399

 

Hi @midavis 

To encrypt and decrypt the user ID securely within an admin block and extension in Shopify, you can use cryptographic techniques provided by Node.js or Ruby, depending on your tech stack. Here's a straightforward way to achieve this:

Encrypt/Decrypt Logic

A. Using Node.js (for Admin Block/Extension)

Encryption and Decryption Example:

 

const crypto = require('crypto');

 

// Replace with your secret key (keep this secure and consistent)

const SECRET_KEY = 'your_secret_key';

const ALGORITHM = 'aes-256-cbc';

const IV_LENGTH = 16; // Initialization vector length

 

// Encrypt function

function encrypt(text) {

    const iv = crypto.randomBytes(IV_LENGTH);

    const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(SECRET_KEY, 'hex'), iv);

    let encrypted = cipher.update(text, 'utf8', 'hex');

    encrypted += cipher.final('hex');

    return iv.toString('hex') + ':' + encrypted;

}

 

// Decrypt function

function decrypt(encryptedText) {

    const parts = encryptedText.split(':');

    const iv = Buffer.from(parts[0], 'hex');

    const encryptedData = parts[1];

    const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(SECRET_KEY, 'hex'), iv);

    let decrypted = decipher.update(encryptedData, 'hex', 'utf8');

    decrypted += decipher.final('utf8');

    return decrypted;

}

 

// Example Usage

const userId = "12345";

const encryptedId = encrypt(userId);

console.log("Encrypted ID:", encryptedId);

 

const decryptedId = decrypt(encryptedId);

console.log("Decrypted ID:", decryptedId);

 

Steps to Use:

1-Include the above logic in your admin block or app backend.

2-When creating the link, call the encrypt() function with the user ID.

3-Append the encrypted ID to the query string.

Example:

 

const encryptedId = encrypt(userId);

const productPageLink = `/products/12345?staff_id=${encryptedId}`;

 

4-When decrypting (e.g., in your app proxy request), use the decrypt() function to decode the ID.

B. Using Ruby (for App Proxy/Shopify App)

If your app is built with Ruby on Rails, you can use the ActiveSupport::MessageEncryptor for encryption and decryption.

ruby

CopyEdit

require 'active_support'

require 'active_support/core_ext'

 

# Replace with your secret key (32 bytes)

SECRET_KEY = 'your_secret_key_here'

SALT = 'your_salt'

 

# Create the encryptor

key = ActiveSupport::KeyGenerator.new(SECRET_KEY).generate_key(SALT, 32)

encryptor = ActiveSupport::MessageEncryptor.new(key)

 

# Encrypt function

def encrypt(user_id)

  encryptor.encrypt_and_sign(user_id)

end

 

# Decrypt function

def decrypt(encrypted_id)

  encryptor.decrypt_and_verify(encrypted_id)

end

 

# Example Usage

user_id = "12345"

encrypted_id = encrypt(user_id)

puts "Encrypted ID: #{encrypted_id}"

 

decrypted_id = decrypt(encrypted_id)

puts "Decrypted ID: #{decrypted_id}"

 

Steps to Use:

  1. Encrypt the user ID when creating the product page link.
  2. Pass the encrypted ID as part of the query string.
  3. Decrypt the ID securely in the app proxy when handling the request.

Best Practices

  1. Store Secrets Securely: Use environment variables to store the SECRET_KEY and avoid hardcoding it in your code.
  2. Use HTTPS: Ensure all links and data transmissions are over HTTPS for secure transport.
  3. Validate User ID: When decrypting the user ID, validate it against your database to prevent tampering.

Link Example

When generating the link:

 

const productPageLink = `/products/12345?staff_id=${encryptedId}`;

 

When processing the query string in your app:

  • Extract staff_id.
  • Decrypt it using the corresponding decrypt function.

If you need any other assistance, feel free to reply and I will try my best to respond.
Best regards,
Daisy

Please let us know if our reply is helpful by giving it a Like or marking it as a Solution!

Avada SEO & Image Optimizer - The #1 SEO solution