With Shopify OAuth, Do I still need to setup authentication to my database?

AppBuilder
Tourist
14 1 0

I am new to development and was wondering if setting up authentication with JWT is necessary for my database or will Shopify OAuth be sufficient?

My app will only be embedded in Shopify.

0 Likes
Greg_Kujawa
Shopify Partner
1016 83 243

The Shopify OAuth process (in regard to a third party app) involves the Shopify shop user granting your app access to the specified scope of Shopify's dataset. Usually a key step when the app is installed for that Shopify shop. But it doesn't necessarily secure your own external database from the outside world.

If your app's underlying database is accessible to the outside world, then you would still need to secure access to it. Using JWT's is one way you could accomplish this, but the token acquisition process would be visible to a certain degree to the Shopify user via their web browser. So any potential "bad guy" could just view source on the web browser session to determine how to grab a JWT outside of Shopify. You could look at request headers to see what the referrer appears to be, what the origin appears to be, etc. But then again, the "bad guy" could just stuff those same acceptable values in headers impersonating a Shopify user's session.

As I responded to in another thread on here just today, I'd recommend looking into creating an app proxy from Shopify over to your side. And using HMAC signature validation as the basis of allowing/denying access. That was the best solution that I came up with working with similar scenarios. 

Hope this helps! 

AppBuilder
Tourist
14 1 0

Hi @Greg_Kujawa,

Just back to developing apps again and found your response from long ago.

If your app's underlying database is accessible to the outside world, then you would still need to secure access to it. Using JWT's is one way you could accomplish this, but the token acquisition process would be visible to a certain degree to the Shopify user via their web browser. So any potential "bad guy" could just view source on the web browser session to determine how to grab a JWT outside of Shopify. You could look at request headers to see what the referrer appears to be, what the origin appears to be, etc. But then again, the "bad guy" could just stuff those same acceptable values in headers impersonating a Shopify user's session.

  1. Aren't all JWT acquisition processes visible to the users whether it is a Shopify App or not since they are stored in Local Storage? They will be able to tell when I request them to sign into my app. If credentials input match my server, then I send them a JWT.
  2. So if I go this route, I have no choice but to have users sign into my app. I don't remember seeing most apps having a sign in page. Not sure how other Shopify's app authenticate their own database without a password or sign in page.
  3. How can a "bad guy" view the source on the web browser session (the "bad guy" would need to get into the Shopify's users store first). Are you talking about XSS attack?
  4. The JWT is going to be sent on every request on the headers and is visible in local storage.
  5. Anyone can change the values of the payload in a JWT, but the signature is uniquely created for the value in the payload. So if someone changes value of the payload, the signature won't match and the malicious JWT will fail verification on my API server.

As I responded to in another thread on here just today, I'd recommend looking into creating an app proxy from Shopify over to your side. And using HMAC signature validation as the basis of allowing/denying access. That was the best solution that I came up with working with similar scenarios. 

Was looking into App proxy and not sure how to implement it unfortunately.

Hope this helps!

Yes, thanks!

 

0 Likes