Shopify - Making An API Request To Update User's Email

- 1 answer

Using the Shopify Admin API - I've been able to update a user's email address.

I've tested it with Postman, passing in a private app secret key.

Now I want to have this functionality on an actual page however have some questions:

  • I can't exactly store those private app keys on the JS code of the page itself as anyone would see. Neither can I make send a request with it as again anyone would have visbility.
  • Is it possible to create some sort of intermediary where I could make some sort of endpoint like POST /update/useremail sending across a customer ID
  • If the above is possible - I'm not sure how I could avoid any random person hitting that endpoint and updating other user's email addresses.

Has anyone had any experience/ideas/suggestions for a simply way to do this?

Any help appreciated.




Issue: Your issue is here that you want to verify if the email change request is a valid call or not? Then if you find it valid then you make the API call to update it.

My Solution
Create a page in Shopify with your form to update email. Show the page only to logged in users. When a user lands in the page show them the form to pass the new email they want. This where you need to add a few things so as to validate the requests. When the page loads create a hashed string from the Shopify Backend like below.

{% if customer != nil %}
  {% assign timestamp = 'now' | date: "%s" %} //epoch time stamp
  token = {{ | append: '<random_string>' | append: timestamp | sha256 }}
{% endif %}

Whenever a request is made for a change of email validate the SHA256 code at your end by creating a hash at your server. If the hash is valid update the email. Make sure you pass the timestamp and old email in the request you make.

Security issues you need to take care of -

  1. You need to validate timestamp always For eg. It should not be 10 secs in the future or 10 secs in the past.
  2. Your random string can also be brute forced. So keep updating the random string regularly using Assets API. It is very unlikely but why take the risk.