Using GetSessionCustomerID for Custom API Integration in Catalyst #1060
Replies: 1 comment 2 replies
-
Hey @Pedro-Silva-MM, Sort of a long reply, but hopeful this helps answers your questions.
There are issues which we've identified with using a customer id as a way to impersonate a shopper. We have a solution that will added to the repo soon to resolve these risks, but before I get into that I want to provide some context: The customer id field is a auto-increment field so any attacker that knows this can easily iterate through a list of customers to steal their data. Right now we are storing the customer id in an encrypted cookie that can only be encoded/decoded in the Next.js application. The only reason why we are using this customer id approach is historical and that most of the data on the GraphQL API is not sensitive information. As an example of why there are risks, if we introduced a way to retrieve saved payment methods on our GraphQL API, an attacker (either a merchant or developer in this case) could iterated through customers 1-100 and retrieve their stored payment methods. If your API was to use the customer id to identify these requests, the same thing could be done with your endpoints. Not good at all. For the solution I mentioned, very soon here we will be going back to using the
For 3rd party requests, as in to your API, I would say no. Even if it is a customer id or customer access token, you should still have a way of authenticating your own requests. When a sign in/out happens, I would hit your own API to generate your own session token and store it within the JWT. Since we use AuthJS, you should be able to do that with this
Essentially what I just mentioned is sort of the best practice here. I would explore how to make sure your API has a way of generating a session token and authenticating requests with that token. |
Beta Was this translation helpful? Give feedback.
-
Hi Catalyst Team,
We are developing a Catalyst application that will serve not only as an e-commerce storefront but also include additional functionalities. To support these additional features, we need the Catalyst application to communicate with our own APIs, identifying the customer making the request.
We noticed that the Catalyst application has a functionality called GetSessionCustomerID, which is used to identify the customer when communicating with the BigCommerce APIs. We’re considering using this same functionality to identify customers when making requests to our own APIs.
Our goal is to understand if we can leverage the existing GetSessionCustomerID functionality to:
We have a few questions and would appreciate your guidance:
This is our first time working with BigCommerce and Catalyst, and we believe that this use case is not unique to us. Other agencies and developers likely have similar needs for their headless commerce applications to communicate with additional APIs. We would appreciate any insights or recommendations you can provide on the best way to achieve this.
We appreciate any guidance and opinions you guys can provide us with.
Thank you in advance.
Beta Was this translation helpful? Give feedback.
All reactions