Customer logs in to their account with their username and password
Using app proxy, make requests to my app backend to verify certain things about this user
Block or allow the login based on 2
Should I be sending the username and password to my backend at the same time, and handling the login - returning the auth token to the frontend? Or is it as simple as making the shopify /account/login request with all the params from the frontend, as long as my backend checks pass. Worried about the checks being bypassed.
You should not be handling the customer’s username and password directly in the backend of your app. Shopify’s authentication flow is designed to keep credentials between the customer and Shopify only.
The standard /account/login endpoint is handled by Shopify, and you cannot intercept or block the login directly from your backend after credentials are submitted. App proxies can be used to fetch/store additional data or perform checks after a customer is logged in, but they do not allow you to block the login process itself.