I want to create an App for my shop right now. We combine this shop with our blog. So we show our blog articles on one page. Each blog article should have custom information like "a special short title to show in the app or a product which should be promoted in in the article. So I stored this information with an App as custom metafields.
I can access those custom metafields by using admin API. But Shopify recommends to not use the admin API in an App because the API key and Password would be readable in the app code. Shopify recommends using Storefront API.
So I was looking into the Storefront API documentation and tried it. I only have one problem: I do not know how I shall read the metafields for a blog article. Is this even possible with the Storefront API? If not, is there a recommended way by Shopify to handle this case? I am thinking of using the Admin API anyway with only read access for Store content. Is there anything in the store content nobody except us should be able to read? The only other solution I can think of right now is to create our own backend and retrieve all information from that place. But maybe there is a Storefront solution I can’t think of right now.
Okay, So it is definitely not possible if I use Storefront API.
If I use Admin API and save the credentials in my application, what are the specific security issues? I only would give those credentials content_read access, not more.
One thing you can read with those credentials are hidden articles. Is there more stuff someone with those credentials is able to read the person wouldn’t be with Storefront API credentials?
It is correct that currently Storefront API users are not able to access metafields on any objects aside from Product & ProductVariant, as specified in our documentation.
In general we would not recommend accessing the Shopify Admin API via the storefront app as this exposes a number of potential security risks. Storing your API credentials in your application (i.e. your storefront) would make these credentials visible to the browser (and users) which poses the risk of malicious users accessing these credentials and using them to change the scope of permissions that you have set for your application. This would create the risk of your private data from your admin dashboard being exposed.
To make metafields accessible to your storefront, one suggestion is to develop a private application that works as a proxy server to retrieve metafields from your Shopify Admin Dashboard and makes them available via an endpoint created in your private application. This would prevent you from needing to use your API credentials in your storefront.