4

I have a general question about Woocommerce rest-API and user access-level.

We start developing customer android app base on Woocommerce-API and we using the Woocommerce token (read/write).

But the problem is that token gives access to the whole information/data of Woocommerce (all customer orders, products,...) and if the user decompiles APK and finds the token, then he/she access to whole data of the website.

So, the question is how to restrict access-level of the API base on the user role in the token.

for example, customer level token can only see her own orders, product, ... and any access defined on Woocommerce customer-role.

Improve this question

4 Answers 4

Reset to default
2

You could build a WP Plugin, with a custom API endpoint where that endpoint/plugin will receive API calls from remote APK's with the USER's credentials.

This way the read/write token stays on your platform and is not exposed in any APKs

And when you receive a specific action from remote end, you use your token internally to only limit what will be returned to that specific user, checking his own login credentials (again internally).

This is more complex (in a sense) to implement, but will be much safer, than adding tokens to APK.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

We faced the exact same issue in my company not more then one month ago. After A LOT of searching we found out somewhere (can't find the link ATM) a woocommerce worker saying it was developed and meant that way.

You can't have a token just for somehing, either you take it all or you go without a token. The annoying stuff is that they suggest that you start to wrap up all of theirs api's endpoint and secure them how you need. That's just a waste of time if you ask me, while it's true that you get the working/secured/tested code from Wooocommerce you will just lose time wrapping everything up, leading to future mistakes when they will update their strategies for endpoints.

In our case, since we needed just a few things, we decided to make a completely new endpoint, using our secure logic instead of wc auth.

Another bad thing is that you can get that token only if the user actually have a Wordpress account and you can open up the modal that request for the user access + express acknowledge (like when you connect third party app with FB / Google)

In our case the mobile app needed to get some WC data w/o the user need to have an account, that seems like an impossibile task with the current WC Rest API.

Improve this answer

Comments

2
+150

Full disclosure, haven't touched WordPress in years. I'm speaking of APIs generally here.

I think you will want to build out an access control list and your own middle-layer API to get this done. I think that middle layer is probably going to be WordPress' own API.

From the WooCommerce docs:

This endpoint works exclusively for users to generate API keys and facilitate integration between the WooCommerce REST API and an application. In no way is this endpoint intended to be used as login method for customers.

Basically, I'm suggesting a proxy layer where you exchange a secure user API token with the WooCommerce data you need, validating that a user can make the request on your server.

For what it's worth, this doesn't have to be intense: Simply create an endpoint that accepts WooCommerce requests, checks if the user matches the customer, and then sends the WooCommerce request to WooCommerce with the correct token. Get the response back, optionally sanitize, and return the data (or a subset of the data).

On the bright side, this middle layer could come in handy if you ever decide you want some of this data in other places outside of the WooCommerce ecosystem.

Improve this answer

Comments

0

Why not generate a new API key for each user?

The WooCommerece documentation states that you can generate an API key for every user you have using the /wc-auth/v1/authorize endpoint.

From the documentation:

This endpoint can be used by any APP to allow users to generate API keys for your APP. This makes integration with WooCommerce API easier because the user only needs to grant access to your APP via a URL. After being redirected back to your APP, the API keys will be sent back in a separate POST request.

Here is a python example of how to build an authentication URL:

from urllib.parse import urlencode

store_url = 'http://example.com'
endpoint = '/wc-auth/v1/authorize'   # Here is the endpoint I mentioned!
params = {
    "app_name": "My App Name",
    "scope": "read_write",
    "user_id": 123,
    "return_url": "http://app.com/return-page",
    "callback_url": "https://app.com/callback-endpoint"
}
query_string = urlencode(params)

print("%s%s?%s" % (store_url, endpoint, query_string))

And this is an example of JSON posted with the API Keys

{
    "key_id": 1,
    "user_id": 123,
    "consumer_key": "ck_xxxxxxxxxxxxxxxx",
    "consumer_secret": "cs_xxxxxxxxxxxxxxxx",
    "key_permissions": "read_write"
}
Improve this answer

2 Comments

"Links to external resources are encouraged, but please add context around the link so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline." See How To Answer
As far as I know, You can create a new API for each user, but permissions do not inherit from the user role. also if you create API for the customer, you get a 401 error when trying to read products info, etc

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.