Encrypt/Decrypt in a custom admin block / extension

midavis · December 18, 2024, 1:30pm

I am creating a link inside of an admin block that will take a user to the product page. Inside of the query string I am appending the user id of the logged in staff member. I will be using this to load extra script on the page. I want to encrypt this id and then decrypt it later when requesting data via an app proxy. How can I encrypt/decrypt inside of an admin block and an extension?

DaisyVo · January 20, 2025, 9:29am

Hi @midavis

To encrypt and decrypt the user ID securely within an admin block and extension in Shopify, you can use cryptographic techniques provided by Node.js or Ruby, depending on your tech stack. Here’s a straightforward way to achieve this:

Encrypt/Decrypt Logic#### A. Using Node.js (for Admin Block/Extension)

Encryption and Decryption Example:

const crypto = require(‘crypto’);

// Replace with your secret key (keep this secure and consistent)

const SECRET_KEY = ‘your_secret_key’;

const ALGORITHM = ‘aes-256-cbc’;

const IV_LENGTH = 16; // Initialization vector length

// Encrypt function

function encrypt(text) {

const iv = crypto.randomBytes(IV_LENGTH);

const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(SECRET_KEY, ‘hex’), iv);

let encrypted = cipher.update(text, ‘utf8’, ‘hex’);

encrypted += cipher.final(‘hex’);

return iv.toString(‘hex’) + ‘:’ + encrypted;

}

// Decrypt function

function decrypt(encryptedText) {

const parts = encryptedText.split(‘:’);

const iv = Buffer.from(parts[0], ‘hex’);

const encryptedData = parts[1];

const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(SECRET_KEY, ‘hex’), iv);

let decrypted = decipher.update(encryptedData, ‘hex’, ‘utf8’);

decrypted += decipher.final(‘utf8’);

return decrypted;

}

// Example Usage

const userId = “12345”;

const encryptedId = encrypt(userId);

console.log(“Encrypted ID:”, encryptedId);

const decryptedId = decrypt(encryptedId);

console.log(“Decrypted ID:”, decryptedId);

Steps to Use:

1-Include the above logic in your admin block or app backend.

2-When creating the link, call the encrypt() function with the user ID.

3-Append the encrypted ID to the query string.

Example:

const encryptedId = encrypt(userId);

const productPageLink = /products/12345?staff_id=${encryptedId};

4-When decrypting (e.g., in your app proxy request), use the decrypt() function to decode the ID.

B. Using Ruby (for App Proxy/Shopify App)

If your app is built with Ruby on Rails, you can use the ActiveSupport::MessageEncryptor for encryption and decryption.

ruby

CopyEdit

require ‘active_support’

require ‘active_support/core_ext’

Replace with your secret key (32 bytes)

SECRET_KEY = ‘your_secret_key_here’

SALT = ‘your_salt’

Create the encryptor

key = ActiveSupport::KeyGenerator.new(SECRET_KEY).generate_key(SALT, 32)

encryptor = ActiveSupport::MessageEncryptor.new(key)

Encrypt function

def encrypt(user_id)

encryptor.encrypt_and_sign(user_id)

end

Decrypt function

def decrypt(encrypted_id)

encryptor.decrypt_and_verify(encrypted_id)

end

Example Usage

user_id = “12345”

encrypted_id = encrypt(user_id)

puts “Encrypted ID: #{encrypted_id}”

decrypted_id = decrypt(encrypted_id)

puts “Decrypted ID: #{decrypted_id}”

Steps to Use:

Encrypt the user ID when creating the product page link.
Pass the encrypted ID as part of the query string.
Decrypt the ID securely in the app proxy when handling the request.

Best Practices1. Store Secrets Securely: Use environment variables to store the SECRET_KEY and avoid hardcoding it in your code.

Use HTTPS: Ensure all links and data transmissions are over HTTPS for secure transport.
Validate User ID: When decrypting the user ID, validate it against your database to prevent tampering.

Link Example

When generating the link: