I’ve been working on a project for a friend, making him a tool to help him manage his BigCommerce store. I had previously made the tool for Shopify, but he ended up needing to switch providers. I’ve run into a few things with BigCommerce’s API that I have found either odd or concerning.
The recommended method of authentication is OAuth, three-legged OAuth2 to be specific. The thing is, they basically shortcut one of the legs. Instead of the user beginning the interaction in the third-party application, it begins in BigCommerce’s application. They seem to highly prefer loading applications in an iframe in their store console, so I guess I can see the logic in that. They know where the user will be initially redirected to authorize the third-party app so they might as well send them there immediately and send them to the redirect url they have saved. One big downside of this is the lack of support for multiple redirect URLs. This means if I need to develop my app locally and also have a dev instance I will need to either adjust the redirect URL constantly or have multiple sets of application credentials.
This next bit is the part that really concerns me. From what I can tell the access token that the application gets never expires. Also, if the store owner has enabled other users to access the application all the users will make use of the same access token. The functionality that appears to be expected is the third-party application saves the access token they get when the store owner installs the app and to use it for any users from that store.
You may be wondering how the application is to know that the user it gets is allowed to access things for the store. BigCommerce sends a JWT signed with the third-party app’s client secret as a query parameter. That JWT contains information about the user as well as the store they are coming from.
I can overlook cutting off a leg of oauth. I see the logic there. But I am not sure I can get behind using a single access token for all users from a store, especially if that access token never expires.