architecture – Building an app+backend with extraneous functionality for an existing web shop. How to handle authentication on the backend?

This is an architecture question as I’ve been asked by an existing web store to build a

  • mobile app (they don’t have a mobile app) that provides extra functionality to the store,
  • a web admin panel to manage the app’s content

The mobile app is to provide extra functionality (tracking orders, contests, rewards etc.) to the store, but it will not have shopping capability, i.e. users will not be able to view all products and place orders through the app.

So far it seems I need:

  • a mobile app
  • a backend app (API and business logic for the mobile app/web panel)
  • a frontend for the admin panel
  • a DB

I thought I’d set up a new DB for the project, but it poses a few problems.

First, the users should be able to log in. Users who already have accounts in the store, should be able to log into the app using the same credentials.

That means that my backend has to somehow authenticate the user with the store. The store uses cookies for authentication and doesn’t appear to expose an API endpoint for verifying user credentials, but it can expose privileged API to get any customer’s data, including its password hash (calculated by taking md5 of user password + hardcoded COOKIE_KEY value).

So what I can do on my backend, it to keep a local copy of this COOKIE_KEY value. When a mobile client tries to log in, I can then calculate the md5 hash and compare it with the hash that the store returns to me. If it matches, I’ll issue a JWT token to the client. Like the following:

authentication process

Is this a good approach to the problem? I’m sure it’s an easy one for a more experienced dev.