Hey everyone, I’m working on a Shopify store and want to add social login. I’ve been exploring some apps from the Shopify App Store, but I’m concerned about their security measures.
Here’s my understanding of how these apps typically work:
- The store owner sets up a social app with a callback URL provided by the app developer.
- Customers click a social login button and authenticate on the social platform.
- The app retrieves the customer’s email from their social profile.
- It checks its database to see if the customer already exists.
- If new, it creates a Shopify account with a randomly generated password.
- It stores this account information in its own records.
- The app then redirects the user back to the Shopify login page with their credentials.
- Finally, embedded JavaScript automatically submits the login form to initiate the session.
Does anyone confirm this flow? Also, is there a more secure alternative for adding social login on Shopify without needing the Plus plan? Any advice would be really helpful.
hey sarahj, that flow sounds about right from what i’ve seen. but I’d be careful with apps handling customer data like that. have u looked into using shopify’s native social login options? might be more secure. if not, maybe reach out to shopify support for recommendations on trusted third-party auth apps. security should def be a top priority!
I’ve actually implemented third-party authentication for a client’s Shopify store recently, and your understanding of the flow is pretty accurate. One thing I’d add is that many reputable apps now use OAuth 2.0 protocols, which enhance security by not directly handling passwords.
From my experience, while Shopify’s native options are solid, they can be limiting. If you’re set on using a third-party solution, I’d recommend looking into apps that offer two-factor authentication and data encryption. Also, check their privacy policies thoroughly.
A word of caution: some apps store sensitive data on their servers, which can be a security risk. I always advise clients to opt for solutions that minimize data retention and provide clear data handling practices.
Lastly, don’t forget to regularly audit your app permissions and remove any unnecessary access. It’s an often overlooked but crucial step in maintaining store security.
Your understanding of the third-party authentication flow is quite accurate. However, I’d like to point out some potential security concerns with this approach. Storing customer credentials, even if encrypted, on a third-party server introduces additional risk. It’s crucial to thoroughly vet any app you’re considering and ensure they follow best practices for data protection.
One alternative worth exploring is implementing your own custom OAuth solution. While it requires more development effort, it gives you full control over the authentication process and data handling. You’d need to set up your own OAuth server and integrate it with Shopify’s API.
If you decide to stick with a third-party app, look for ones that support token-based authentication instead of storing passwords. Also, check if they offer options to delete user data upon request, which is important for GDPR compliance.
Remember, security should never be compromised for convenience. It might be worth considering upgrading to Shopify Plus if it provides more robust native authentication options for your specific needs.