Automatic order API
The site needed a public API to allow it's users to submit orders via HTTP requests. I had already created a Quickorders Interface for this site, so I opted to make use of some existing functionality.
The only conditions provided were that:
- The API should be secure and all HTTP requests should be verified before processing
- The API should never silently fail
- A future project would be a full Shopify Integration app, this API should be ready for that
The functionality that I already had available was that I could take an order in JSON format and convert it into a pending order belonging to a group that was awaiting payment.
Since the requests would be coming from outside of the Shopify store, I needed to create a secure API key and secret. The API key was always a base64 version of the users account email plus their user ID. When a user first initialized their API records, a randomly generated sha256 hash was returned to them.
The secret was only available once via the initializer and if it was ever lost it would need to be manually regenerated. Since no payment would take place inside the API, we considered these security methods more than sufficient.
I created various endpoints, such as retrieval of product data, order status information, and most importantly a POST method for creating a new pending order.
When the pending order creation method was called, I first verified the API key was a match for the supplied secret and then used the information inside the request to create a new pending order awaiting payment, taking great care to catch any errors (e.g. missing parameters) and return detailed information.
The reason I ultimately decided to make the secret available via the initializer was so that in future the Shopify Integration App could initialize or regenerate the users API information and then store it for automated order processing.
At the time of creation, this was a heavily requested feature which opened the door for bigger customers. The sites highest value customer had previously been £65,000 lifetime spend, however the highest API spender had a lifetime total of over £250,000.