So I’m creating an app where I want the shop owners to store some information in the app (e.g. html code that gets loaded via a script tag into the shop). That means when a shop owner installs the app they get an edit code field within the app. The code they’re editing is then stored into a database. How would I prevent another app user (or malicious third party) to edit any shops html code? My understanding is that unless I have any form of user creation process, everybody who figures out the backend endpoint could just send a request to it (using a shop origin that is not theirs) and edit the html code of every shop.
And further if I have a user creation form within the app couldn’t that be exploited as well? E.g. Malicious party figures out where the sign-up endpoint is and creates a user linked to a shop that is not theirs so now they have access to the edit code endpoint?
I hope somebody can help me clarify this since I’m not sure if I understand it correctly.
Thanks
