I do not understand how security works with shopify apps. suppose I have a site that runs my app. I am building my app using the sample django app and pixelprinter app as examples.
so, if I do not have a token stored in my web session, I redirect to the login page where the user has to enter the store name. then I send an OAuth2 request to the shop and the user has to enter the password for the shop to install the app. this is clear to me.
suppose my app gets installed in to a shop. now, if I enter the same shop name in to my login screen, and it redirects to the shop, the shop will see that the app is already installed and won’t ask the user to enter the password. is this correct? at least it appears so.
so unless I implement an additional security for my app for users that visit it from outside of shopify, I have a security hole. correct? anyone can enter a shop name and if this shop happens to have my app installed then they will be able to see the data.
please clarify.
Even though you’ve authorized the app, any other person that enters in the URL would have to authenticate with Shopify before continuing as well.
Because you’ve already entered the shop name and logged in, your browser has a session, which makes it appear that there’s no logging in needed on subsequent requests when you enter the shop name again on your app. If you were to go to Shopify and logout (or try within another browser), and then enter the shop name, you’ll be redirected to the login page before you can continue.