I am planning to develop an app much like the shopify's Grapevine reviews app ( https://apps.shopify.com/grapevine-reviews ) with Ruby on Rails. The app will store the review added between the current logged in customer and the products of shopify. I want the app to be able to list a history of all reviews added by that particular customer in the shopify accounts' page.
I would like to ask what is the most common way to securely authenticate the current logged in user that have added the review?
I was thinking of writing a javascript to pull all reviews from the app by passing in an unique customer id and the shopify shop as parameters. However, this does not seem secure as any http request with a valid unique customer id can read the list of reviews. Is there a way to securely embed the history of reviews on the accounts page? I would like the history of reviews only visible to the current logged in customer on the account's page; I don't want the customer to login on a separate site with a new login to view the history of reviews.