You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Exposing ApolloClient in the frontend will allow a Shop of your paid app to edit their subscription lineitems or even give appcredits to themselves.
Expected behavior
A shop shouldn't be allowed to change their own subscription items, or give themselves appCredits.
Actual behavior
If I inspect the ApolloClient in my browser, I can notice that it does API calls to /graphql. If I start inspecting the queries that sent to /graphql, I can figure out that its using the GraphQL Admin API.
Through this, I can deduct that I will have full access to the current AppInstallation, all through my browser. Even just performing fetch('/graphql') in my JS console would allow me to alter my AppInstallation to be $0.01, or give myself credits through appCreditCreate mutation.
Steps to reproduce the problem
Setup a new shopify node app with shopify-app-cli.
Visit the URL and when you're greeted with the default welcome message
Setup recurring billing using the docs
Logout and log back in, you will be prompted to perform a test payment for your app
Perform payment and you're redirected to the welcome page
The text was updated successfully, but these errors were encountered:
tolgap
changed the title
Is exposing ApolloClient to the frontend a bad idea?
Is exposing ApolloClient/Admin GraphQL API to the frontend a bad idea?
Dec 9, 2019
Issue summary
Exposing
ApolloClient
in the frontend will allow a Shop of your paid app to edit their subscription lineitems or even give appcredits to themselves.Expected behavior
A shop shouldn't be allowed to change their own subscription items, or give themselves appCredits.
Actual behavior
If I inspect the ApolloClient in my browser, I can notice that it does API calls to
/graphql
. If I start inspecting the queries that sent to/graphql
, I can figure out that its using the GraphQL Admin API.Through this, I can deduct that I will have full access to the current
AppInstallation
, all through my browser. Even just performingfetch('/graphql')
in my JS console would allow me to alter myAppInstallation
to be $0.01, or give myself credits throughappCreditCreate
mutation.Steps to reproduce the problem
shopify-app-cli
.Reduced test case
Specifications
The text was updated successfully, but these errors were encountered: