No announcement yet.

Security and Store Verification

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security and Store Verification

    This is difficult to explain but I will do my best.

    The current process requires that the user subscribe to an app via a public key. After the user subscribes, an app is expected to save a unique token key, the secure url, and some other irrelevant information. The store that subscribes does not have access to the unique token key, how do I verify that the user using my app is legitimately the one who subscribed? The user should be able to access their unique token key as a password to verify their identity within the app which will greatly reduce the risk of someone who might happen to put in the correct SecureURL and the publicly available public key and being able to access customer, order, etc data. A private key doesn't do anything for me if the user can't use it to verify their account.

    Hope it makes sense!

    Mike C.
    Store: MAToday, LLC

  • #2
    Are you talking about downloadable products (software, videos, etc..), otherwise I have no idea what you are talking about.


    • #3
      Let's say I make a mobile app. The user must subscribe to it via a public key inside of their 3dcart admin panel. Once they subscribe to it, a callback URL processes the subscription and then 3dCart sends my server the following:

      1) My public app key (which is freely available)
      2) A unique private key (token key) specific to that store
      3) The secure URL of the store (
      4) The action (either AUTHORIZE or REMOVE)
      5) a timestamp

      The user subscribed through their store control panel, and I receive all of the necessary data to connect and make calls to their store.

      Now let's say the user opens my app. I must find a secure way to identify the user with the store in my database. The user has access to their secure URL but not their unique token key, only I have access to it. I can ask the user to enter their secure URL, but that means anyone can enter the secure URL ( into the app and if that store has subscribed to my app it will give the false user access to the store data.

      My solution is to make the token key visible to the store who subscribed, they can put it into the app to verify their identity with my app.

      There are alternative work arounds, but none of them are as secure as allowing the user to access the token key as a means of verifying the identity of the user with my app.
      Last edited by MCampagnini; 09-20-2015, 12:37 AM.
      Store: MAToday, LLC