I’ve been searching for this for a while and have been completely stumped. I have some Python software I’ve developed that I need to run on a server. I want to use Shopify to handle the account registration/login and the billing. I want to sell access to my subscription software monthly.
I want to then have a way for my users to login to their account on the Shopify site, then either send them over to a subdomain to use my Python software or just use ajax with a RESTful API to display it directly on a page within the Shopify site.
But in order to do that securely, I need to make sure that the client accessing the Python server is who they say they are. I need to make sure that they’re logged in on the Shopify site (i.e. I need some way to authenticate them) and I also need to make sure that they have a valid subscription that isn’t expired.
How can I do this? I’ve been Googling and searching on this forum for ages and haven’t found anything. Please help.
Thanks for your reply and offer to help. Appreciate it. Especially on x-mas day!
If its that complicated I will pass however and wait for a good solution from the vendor. Thanks again and best wishes for 2020.
@Breisoft would you care to share the solution with me? I followed the link you posted but it is from 2013 and most of the links and wiki articles referenced do not exist anymore.
@boethius Sure. I use Liquid to load the customer id, then I send them with a POST request to my server containing their customer id (using a JavaScript click to do it automatically). I then create a random authentication token and store it as a Metafield in their Customer object via the Shopify API. After that, I forward them back to the Shopify website, which then loads the customer id again and the new authentication token from their metafield, and I use another POST request containing their customer id and the authentication token back to my website again, which then confirms that the authentication token is correct. If you do this, you’ll need to make sure that CSRF verification is turned off on your web server for that page because these POST requests will be made from another domain.
@Breisoft would you be able to supply or point me to more details of how and where you are using Liquid to load the customer id, sending the POST etc. and then also what technology you are using on the app side to interact with Shopify. I have a Shopify website and an external app written in Angular. My plan is to have the customer sign into the Shopify website and then use those credentials to authenticate on the external Angular app.