weixin_33695082 2017-09-14 10:06 采纳率: 0%
浏览 33


Basically my question is similar to this one:

How to secure php scripts?

with one slight difference, the other side is Shopify.

Background info: Shopify user bought some credits (Audible style), and wants to know how many he has available. He logs in into his account, and it says there that he has X credits.

That number comes from AJAX call to my server (I have full control), where there is a simple php script which checks the value in db (which is updated using webhooks from Shopify, each of which needs to be verified so they are secure, I think).

The script uses customers ID for a look up, and that value needs to be passed to the script somehow, and that allows someone external to just keep running it until he has all IDs and corresponding credits values.

So, my questions is, how do I stop that? How do I ensure that only authenticated users can check it, and only for their IDs.

There is plenty of info on Shopify docs about securing the connections the other way, i.e. to make sure only correct scripts have access to the Shopify db, but nothing about my problem.

As far as I know I only I only have access to JS on Shopify, which creates the problem, because everything I send to my server is visible to all.


EDIT: I just read up on CSRF. I can easily implement checks for origin and headers, but these can be faked, right?

EDIT 2: I got around this problem by using metafields. So, instead of storing all that info on my server's db, I just use Customer Metafields to store the available credits. Webhooks are secure so that's brilliant. It still doesn't solve a problem with the next stage though. Customers will still need to be able to use their credits and get digital products, which are generated by my server. So I still need to verify the requests.

EDIT 3: Comment by @deceze and answer by @Jilu got me thinking. Yes, you are correct, I need to do that, but I don't have access to back-end on Shopify, so I cannot create session. However, what I could do (if I figure out how in js) is hash it. PHP login scripts operate on password_hash. That way you do not store a password in the db. Password get's verified again hash (or whatever you call) in the db, and it's either true or false. If true, you are logged in. So I could try to generate a token using a specific string (make it very long) and user id. Send it with the request, and using password_verify or what not, check it against the users. The one that pops positive is logged in user who requested the information. That is assuming I can hide the string in the Shopify...

  • 写回答

2条回答 默认 最新

  • weixin_33725807 2017-09-14 10:35

    Step1: Do a session login system. Step2: Before the Ajax, generate a random token in your form or request page, put it into a input display none, send it with POST. Verify each time if the token is set and is the same that you got.

    You have now verified if the user is really logged in with session. And you checked that he is from the right page.




  • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
  • ¥15 让node服务器有自动加载文件的功能
  • ¥15 jmeter脚本回放有的是对的有的是错的
  • ¥15 r语言蛋白组学相关问题
  • ¥15 Python时间序列如何拟合疏系数模型
  • ¥15 求学软件的前人们指明方向🥺
  • ¥50 如何增强飞上天的树莓派的热点信号强度,以使得笔记本可以在地面实现远程桌面连接
  • ¥20 双层网络上信息-疾病传播
  • ¥50 paddlepaddle pinn
  • ¥20 idea运行测试代码报错问题