shopify app proxy: send customer data or only customer ID

Question

I need to get customer first and last names and email address for the server side logic.

As I see it there are 2 options:

1. Form submit with the data in

Answer 1

If you are submitting to a proxy form you should check out Gavin Ballard's post about validating the customer with a hash.

I do something similar where I respond to the app proxy get with application/liquid. See the reqHash field in the sample below. This processed through ejs whose tags don't conflict with liquid for any dynamic values:

e.g.

{% if customer %}
    <input name="firstName" id="firstName" type="hidden" value="{{customer.first_name}}">
    <input name="lastName" id="lastName" type="hidden" value="{{customer.last_name}}">
    <input name="defaultAddr" type="hidden" value="{{ customer.default_address.id }}">
    <input type="hidden" name="custid" value="{{customer.id}}">
    <input type="hidden" name="reqHash" value="{{customer.id | append: '<%= custSecret %>' | md5}}"> 

    <div class="form-group">
        <label for="emailAddress">Email</label>
        <input name="emailAddress" id="emailAddress" type="text" value="{{customer.email}}" placeholder="Email">
    </div>

{% else %}

<div class="form-group">
    <label for="firstName">Name</label>
    <input name="firstName" id="firstName" type="text" value="" placeholder="First Name">
    <input name="lastName" id="lastName" type="text" value="" placeholder="Last Name">
</div>
<div class="form-group">
    <label for="emailAddress">Email</label>
    <input name="emailAddress" id="emailAddress" type="text" value="" placeholder="Email">
</div>

<div class="form-group">
    <label for="CreatePassword" class="hidden-label">Password</label>
    <input type="password" name="customer[password]" id="CreatePassword" class="input-full" placeholder="Password">
</div>
{% endif %}

and then validate the reqHash when the form is posted.

Responding to a comment:

The question is what are you trying to keep secret from who. The customer already knows their info. Shopify maintains the session so they trust the info is associated with the correct id. SSL is a secure transport so the customer info is only clear in the browser. The hash lets the app be sure that the customer info is associated with the correct id. It’s the app’s way to verify the login. Otherwise a bad actor can send arbitrary info to the app. The poster who wrote they’d look up the customer info from the id still needs to verify the id so that they know they have the correct id of a valid logged in customer.

In fact since I wrote this 2016 I’ve started hashing all the info that I’m including in the hidden inputs.

The hash protects your app from hackers and bored script kiddies.

Answer 2

1. implies you will possibly receive garbage. The incoming data means nothing since a bot could fill in a form and submit.

2. at least implies you have an actual logged in customer. If you have the ID you also have the email and name, from Liquid. If your Proxy call is from a script tag that has no access like that, you can send the customer ID from the secret customer ID cookie value, and yes, make an API call. That is not a big deal at all.