Hi all, I am developing an Shopify app using remix template from Shopify CLI.
I am using a spring boot backend with protected rest endpoints. I basically need a way for Shopify remix to authenticate with my spring boot backend.
I’ve looked into using a simple shared token that will sit in my backend and as well as in Shopify remix and I can send that back and forth but this isn’t a safe way since it could get intercepted or if the token is leaked.
I’ve also looked into issuing a jwt token from my backend to remix but session storage is already being utilized for Access token, I wasn’t sure where else to store my jwt token issued from the backend.
I’ve seen app proxies in other posts where I can define a endpoint of my backend rest API and then validate the request in my backend using the customer ID and hmac signature.
Just using proxies seems like a limitations if I have lots of endpoints that need secured because I have to manually configure the proxies endpoints in the dev admin.
Another way I’ve thought about using proxies is just creating a /auth endpoint that will request the jwt token from my backend. Because the app proxies is something I can validate it’s coming from Shopify, I can send a jwt token after successfully validating. Then any subsequent request would use that jwt token from remix to hit any of my backend API.
If I go this route, what are some ways I can store the jwt token in the remix side? I’ve looked into session storage but it’s already being used by access token using Prisma.
How have others implemented this security feature in their backend with Shopify remix? Or what is the recommended way of doing this?