So, I just fired up a browser. A fresh session as they say. I then visited a Shopify App that charges money for it's use. I used a valid merchant Shop as the shop name and sent in the ID of a valid resource from that shop.
Eg:
http://unamed_app.com/do_something?shop=fizzbuzz.myshopify.com&id=1234567
The App responded by showing me the data belonging to the shop
fizzbuzz.myshopify.com that I HAD NOT EVEN LOGGED INTO. So, I could essentially change the shop's data as per the App, which had permissions to do so.
I never had to login to that App, nor the shop. Simply provided the GET parameters, shop and ID.
Is that normal App behaviour? I thought it was always expected that to use an App, you had to at least login to the App using the merchants shop name, to initiate the oAuth exchange and ensure some measure of security.
I guess I am missing something special... and forcing my clients to do a dumb login step... when they could always just paste an URL into their browser and just get things done.
Any comments?