How can I add security to my Shopify App? (webhooks & front-end)

Question

I'm developing a Shopify App with rails and I would like to avoid future problems with the security of it . I don't know what I should do with it so I hope you could guide me with that...

The Webhooks Controller:

module ShopifyApp
class WebhooksController < ActionController::Base
   include ShopifyApp::WebhookVerification

  class ShopifyApp::MissingWebhookJobError < StandardError; end

  def receive
    params.try(:permit!)
    job_args = {shop_domain: shop_domain, webhook: webhook_params.to_h}
    webhook_job_klass.perform_later(job_args)
    head :no_content
  end

  private

  def webhook_params
    params.except(:controller, :action, :type)
  end

  def webhook_job_klass
    "#{webhook_type.classify}Job".safe_constantize or raise ShopifyApp::MissingWebhookJobError
  end

  def webhook_type
    params[:type]
  end
 end
end

I've read about checking the HMAC of the Webhook, but I don't know if I have to implement it by myself, or if the above code is doing that actually.

About front-end ... Should I do some security comprobation on the Views or Controllers?

Thank you for your attention and your knowledge.

Answer 1

I've read about it and it's not neccesary to write the security of Webhooks.

The line include ShopifyApp::WebhookVerification does all the process. WebhookVerification it's included in the gem 'shopify_api', so we just have to include the gem and copy the code above to manage the webhooks.

If we want to test webhooks through the Shopify admin: Settings>Notifications>Webhooks then we should implement this code.