Shopify App Proxy: Send Customer Data Or Only Customer ID

- 1 answer

I need to get customer first and last names and email address for the server side logic.

As I see it there are 2 options:

  1. Form submit with the data in the body of the request to the proxied URL
  2. GET request to the proxied URL with the customer ID in the URL, then using the shopify API to get all customer's info

I tend to use option #1 as it saves a call to Shopify, I will send the data over https.

How would you suggest doing so?



If you are submitting to a proxy form you should check out Gavin Ballard's post about validating the customer with a hash.

I do something similar where I respond to the app proxy get with application/liquid. See the reqHash field in the sample below. This processed through ejs whose tags don't conflict with liquid for any dynamic values:


{% if customer %}
    <input name="firstName" id="firstName" type="hidden" value="{{customer.first_name}}">
    <input name="lastName" id="lastName" type="hidden" value="{{customer.last_name}}">
    <input name="defaultAddr" type="hidden" value="{{ }}">
    <input type="hidden" name="custid" value="{{}}">
    <input type="hidden" name="reqHash" value="{{ | append: '<%= custSecret %>' | md5}}"> 

    <div class="form-group">
        <label for="emailAddress">Email</label>
        <input name="emailAddress" id="emailAddress" type="text" value="{{}}" placeholder="Email">

{% else %}

<div class="form-group">
    <label for="firstName">Name</label>
    <input name="firstName" id="firstName" type="text" value="" placeholder="First Name">
    <input name="lastName" id="lastName" type="text" value="" placeholder="Last Name">
<div class="form-group">
    <label for="emailAddress">Email</label>
    <input name="emailAddress" id="emailAddress" type="text" value="" placeholder="Email">

<div class="form-group">
    <label for="CreatePassword" class="hidden-label">Password</label>
    <input type="password" name="customer[password]" id="CreatePassword" class="input-full" placeholder="Password">
{% endif %}

and then validate the reqHash when the form is posted.

Responding to a comment:

The question is what are you trying to keep secret from who. The customer already knows their info. Shopify maintains the session so they trust the info is associated with the correct id. SSL is a secure transport so the customer info is only clear in the browser. The hash lets the app be sure that the customer info is associated with the correct id. It’s the app’s way to verify the login. Otherwise a bad actor can send arbitrary info to the app. The poster who wrote they’d look up the customer info from the id still needs to verify the id so that they know they have the correct id of a valid logged in customer.

In fact since I wrote this 2016 I’ve started hashing all the info that I’m including in the hidden inputs.

The hash protects your app from hackers and bored script kiddies.