FROM CACHE - en_header

Perform authenticated requests to 3rd party API On behalf of a logged In user

Solved
eladg
New Member
2 1 5
‎09-30-2019 08:53 PM

Perform authenticated requests to 3rd party API On behalf of a logged In user

Hello everyone,

 

I'm developing an app that holds secured information (software licenses in my case) which is stored on a 3rd party API Service (say Google Firebase API). On the logged in user account page, I want to perform a SECURED request to my service, to list information stored on the 3rd party service.

 

The way I expect it to work would be that (for example) a logged in user would have a session token that I can authenticate over my API by performing a private API request to Shopify Admin REST API. So from the liquid template I would perform a request to: `https://api.3rdpartyservice.com/my_licenses` with `{ token: << logged in session token >> }` and over the API side, I would verify the validity of the token to decide what sort of respond is needed.


So, when logged in customer navigates to: `https://myshop.myshopify.com/account`, a request would be generated to: `https://api.3rdpartyservice.com/my_licenses` with info which will allow to validate the customer and to respond with this private information.

 

Just to confirm. I'm not talking about a private merchant app that is viewed on on `myshopy.myshopify.com/admin/apps` page, but on PRIVATE information I would like to display SECURELY on the site/template/frontend for logged in customers. I could not find any information regarding this kind of functionality anywhere on the documentation and would like to know if that's possible.

 

Thanks in advance!

2,004 Views
Accepted Solution (1)

Accepted Solutions
eladg
New Member
2 1 5
‎10-02-2019 02:05 PM

Re: Perform authenticated requests to 3rd party API On behalf of a logged In user

This is an accepted solution.

For whoever is googling this question in the future, I found a solution.

 

For unsecured public API calls (say latest tweets from the twitter api), nothing stops you from including any sort of <script> tag on the store front end. The question is how do you perform a secured private api request while not exposing secrets on the frontend. Shopify's solution is using App Proxies. So, the front-end store will perform a request to say `https://my_awesome_store.myshopify.com/app/my_private_request` and this request will be Proxy to a private request between the store backend and your private API. On your private API endpoint, you should validate the request which includes a SHA-256 HMAC digital signature.

 

More info here:

https://help.shopify.com/en/api/guides/application-proxies

 

Notice 1: It took me a second to find the App proxy menu which is not enable by default on an app, Look for "Manage extension areas" on the app settings page.

Notice 2: Your respond could be a HTML liquid template, not just a XML/JSON response, which I find very useful.

View solution in original post

1,943 Views
Replies 4 (4)
eladg
New Member
2 1 5
‎10-02-2019 02:05 PM

Re: Perform authenticated requests to 3rd party API On behalf of a logged In user

This is an accepted solution.

For whoever is googling this question in the future, I found a solution.

 

For unsecured public API calls (say latest tweets from the twitter api), nothing stops you from including any sort of <script> tag on the store front end. The question is how do you perform a secured private api request while not exposing secrets on the frontend. Shopify's solution is using App Proxies. So, the front-end store will perform a request to say `https://my_awesome_store.myshopify.com/app/my_private_request` and this request will be Proxy to a private request between the store backend and your private API. On your private API endpoint, you should validate the request which includes a SHA-256 HMAC digital signature.

 

More info here:

https://help.shopify.com/en/api/guides/application-proxies

 

Notice 1: It took me a second to find the App proxy menu which is not enable by default on an app, Look for "Manage extension areas" on the app settings page.

Notice 2: Your respond could be a HTML liquid template, not just a XML/JSON response, which I find very useful.

1,944 Views
ricardo15
New Member
2 0 0
‎09-25-2020 03:45 AM

Re: Perform authenticated requests to 3rd party API On behalf of a logged In user

Hi @eladg 

I am virtually in the same situation you are/were. Our store requires customers to log in, and I then want to show secure information on a page within Shopify that was fetched from a 3rd party API.

You said your solution was App Proxies. I was wondering if you would be able to explain how you've implemented your solution, as I can't seem to wrap my head around how the proxy will work.

On Shopify's end, what does the "request to the proxy" look like? Is this something you implement in the page templates? And how do you pass the customer's auth token to your 3rd party endpoint?

Sorry if these are stupid questions, I am still learning my way around Shopify dev.

 

Thanks

1,350 Views
0 Likes
AakashPrajapati
Tourist
12 0 2
‎03-11-2021 12:35 PM

Re: Perform authenticated requests to 3rd party API On behalf of a logged In user

Hello

App Proxy only sends the get request so I want to send the post request to a third-party API so how can I send it?

934 Views
AakashPrajapati
Tourist
12 0 2
‎03-12-2021 10:52 AM

Re: Perform authenticated requests to 3rd party API On behalf of a logged In user

Hello @eladg 

Also, this proxy only send the information to the third party API with request coming from the Shopify or not but there is no any authorization for request like specific customer request so if we implement this way then there are security issue for breach the authorization so please suggest on this! Have you any other solution? In this solution there is any authorization mechanism for request from Shopify with particular customer.

910 Views
0 Likes
Promotion image (Anonymous)
Terms of Service Privacy Policy