Main issue: securely identifying the loggedâin customer in Shopify App Proxy requests. Historically, developers relied on insecure query-based workarounds because cookies/most headers are stripped by the proxy.
Proposed/attempted approaches:
HMAC-based query auth (prefer SHAâ256 over MD5), but Liquidâs cached ânowâ makes time-based schemes unreliable.
JWTs via custom customer create/login flows; some consider this unsuitable/insecure vs. a Shopify-supported mechanism.
Shopify update:
Introduced a beta, then rolled out logged_in_customer_id as a query parameter on App Proxy requests. Initial July 2022 release was reverted due to a bug; later fixed and docs updated.
Current behavior (per docs and reports):
logged_in_customer_id is appended to the forwarded query when a customer is logged in; empty otherwise.
Even when empty, itâs included in sorted_params and signature calculation.
Cookies arenât forwarded; many headers are disallowed; XâForwardedâFor is added.
Ongoing issues:
Some developers receive empty logged_in_customer_id despite logged-in sessions (notably with Hydrogen/Customer API) and encounter signature mismatches.
Others report it working (e.g., accessible as a query param in Laravel/Express).
Questions remain on how the proxy derives customer context without cookies and best practices for Hydrogen requests.
Status: Feature shipped; mixed results in the field. Discussion ongoing; further guidance/clarifications requested from Shopify.
Today I would like to raise a question that remains unanswered. The question is:
How can we identify customers in our embeded Proxy App?
Now Shopify have not common solution for this problem though community has ask this question many times. Here is just a couple post on this forum I found and dated, when it was posted:
After I did the research, I realized that at the moment there is no solution in Shopify for this. And I decided to look for a solution on the Internet. I found an Securing customer pages with a Shopify app proxy by Gavin Ballard. As the application prohibits the use of cookies and headers for security reasons, developers must find a solution on their own. Because of all the limitations, the only solution is Query Based Auth, but in this way we leave a huge security hole in our application. Gavin has great solution, but even with all securing methods we still have this hole. At the end of article he has proposed more safe and the better solution for this problem.
With every proxied request Shopify passes along to your application, it adds a shop query parameter to help your application identify the store the request is coming from.> > In addition to this, Shopify could pass along the ID of any customer thatâs currently logged in to the storefront, either along with the shop parameter in the query string or as a custom HTTP header (perhaps X-Shopify-Customer-Id).> > Doing this would greatly simplify the authentication progress for all customer pages where itâs required that a customer is logged in to their account. Pages that require authentication without a customer login (such as order tracking pages) would still need to use a URL-based method, but it would be possible to> reduce the risk of information leakage by doing something like still requiring a customer account login after a certain amount of time has passed.
And I agree with him. I decided to contact the developers and this is what they said:
They are aware of this being requested, and will look into implementing this in the future. If we see enough demand over existing development projects, and if we see more requests come in for the same solution from other developers this will increase the priority of the feature being implemented.
I urge all application developers who develop Shopify applications to support me and store owners who want to protect their usersâ data in the Proxy App from being stolen. I am always open for discussion and will be glad to talk about this with other developers and members of the Shopify community.
I am also dumbfounded as to why this is not in Shopify yet.
If you use a solution like Gavin Ballardâs I would however strongly suggest to use hmac_sha256 in stead of md5.
If you could combine this with the current time, one could have a valid authenticating solution, similar to Javascript Web Tokens.
Sadly, the current way to get the time serverside in liquid is this :
{{'now' | date: '%s' }}
And it does not give the current time, but due to caching it will give the last time the template was rendered by Shopify. So itâs not usable for authentication.
Hi. This solution is not suit to my needs. All must be done on Shopify and Apps backend, because in another way it not secure for customers. The best solution to add header on Shopify request like customer-id, but developers response that they have more important things to do.
Did you also read the part about proxying the create customer?
I do it like this: when clicking create customer, I send a post request via javascript to create a customer to my app instead of submit to shopify.
My app creates the customer on the shopify Admin API and then creates a JSON Web token for the customer id and returns it to the customer.
This token can be saved and sent with every request to my app.
When the user logs in, first the frontend javascript also does a request to my app, with the username / password. My app does a request to the storefront api (doesnât share this info with the frontend) to see if its a valid customer. After this it also creates a token with the customerid and sends it to the frontend.
I think this is a more secure way.
(the create a customer form in liquid is now a login form so the customer is logged in after creating).
It is also bad solution, because for example API controllers can not be done with javascript. More preferable way to use Shopify supported things that can not be exploit by hackers, because it automatically add by Shopify
I use Gavin Ballardâs solution right now. And add query params using Javascript if I need to identify user. For users without javascript enabled I just render noscript tag with info that app require JavaScript. I use Yii2 on the backend on my app, so I write controllers that supports liquid response and customer AuthClass with use X-Loggined-Customer header. Also it wraps every response of liquid in if statement to check all in Liquid. I do something like this right now, but in every request I need to pass in get params right signature and customer_id. Urls does not look well, but this is the most secure solution for now.
I also need this feature as I donât have control to the Shopify store where my proxy app is installed. I specifically need the email or customer id of a logged-in user. Hope Shopify do something about this.
Seconding that Shopify needs to implement a secure solution to this problem. All it would take is for them to forward the customer id as a query parameter or in the headers on the initial proxy request.
Shopify here with an update - weâre looking for interested partners to sign up for a beta that will include the Customer ID for logged in customers as a parameter in the forwarded query for App Proxy Requests.
Folks that are interested in this beta can contact Partner Support to express interest via their Partner Dashboard here
I am not seeing the new logged_in_customer_id parameter in the forwarded app proxy requests as of 7/7/22. Also the app proxy specifications and documentation have not been updated to mention it: