Woocommerce Question posted in
The official Woocommerce documentation can be found here.

Woocommerce API Token Access Level

I have a general question about Woocommerce rest-API and user access-level.

We start developing customer android app base on Woocommerce-API and we using the Woocommerce token (read/write).

But the problem is that token gives access to the whole information/data of Woocommerce (all customer orders, products,…) and if the user decompiles APK and finds the token, then he/she access to whole data of the website.

So, the question is how to restrict access-level of the API base on the user role in the token.

for example, customer level token can only see her own orders, product, …
and any access defined on Woocommerce customer-role.

Tags:

4

Answers


  1. 0

    Why not generate a new API key for each user?

    The WooCommerece documentation states that you can generate an API key for every user you have using the /wc-auth/v1/authorize endpoint.

    From the documentation:

    This endpoint can be used by any APP to allow users to generate API keys for your APP. This makes integration with WooCommerce API easier because the user only needs to grant access to your APP via a URL. After being redirected back to your APP, the API keys will be sent back in a separate POST request.

    Here is a python example of how to build an authentication URL:

    from urllib.parse import urlencode

store_url = 'http://example.com'
endpoint = '/wc-auth/v1/authorize'   # Here is the endpoint I mentioned!
params = {
    "app_name": "My App Name",
    "scope": "read_write",
    "user_id": 123,
    "return_url": "http://app.com/return-page",
    "callback_url": "https://app.com/callback-endpoint"
}
query_string = urlencode(params)

print("%s%s?%s" % (store_url, endpoint, query_string))

    And this is an example of JSON posted with the API Keys

    {
    "key_id": 1,
    "user_id": 123,
    "consumer_key": "ck_xxxxxxxxxxxxxxxx",
    "consumer_secret": "cs_xxxxxxxxxxxxxxxx",
    "key_permissions": "read_write"
}
    Login or Signup to reply.
  2. 0

    Full disclosure, haven’t touched WordPress in years. I’m speaking of APIs generally here.

    I think you will want to build out an access control list and your own middle-layer API to get this done. I think that middle layer is probably going to be WordPress’ own API.

    From the WooCommerce docs:

    This endpoint works exclusively for users to generate API keys and facilitate integration between the WooCommerce REST API and an application. In no way is this endpoint intended to be used as login method for customers.

    Basically, I’m suggesting a proxy layer where you exchange a secure user API token with the WooCommerce data you need, validating that a user can make the request on your server.

    For what it’s worth, this doesn’t have to be intense: Simply create an endpoint that accepts WooCommerce requests, checks if the user matches the customer, and then sends the WooCommerce request to WooCommerce with the correct token. Get the response back, optionally sanitize, and return the data (or a subset of the data).

    On the bright side, this middle layer could come in handy if you ever decide you want some of this data in other places outside of the WooCommerce ecosystem.

    Login or Signup to reply.
  3. 0

    You could build a WP Plugin, with a custom API endpoint where that endpoint/plugin will receive API calls from remote APK’s with the USER’s credentials.

    This way the read/write token stays on your platform and is not exposed in any APKs

    And when you receive a specific action from remote end, you use your token internally to only limit what will be returned to that specific user, checking his own login credentials (again internally).

    This is more complex (in a sense) to implement, but will be much safer, than adding tokens to APK.

    Login or Signup to reply.
  4. 0

    We faced the exact same issue in my company not more then one month ago. After A LOT of searching we found out somewhere (can’t find the link ATM) a woocommerce worker saying it was developed and meant that way.

    You can’t have a token just for somehing, either you take it all or you go without a token.
    The annoying stuff is that they suggest that you start to wrap up all of theirs api’s endpoint and secure them how you need. That’s just a waste of time if you ask me, while it’s true that you get the working/secured/tested code from Wooocommerce you will just lose time wrapping everything up, leading to future mistakes when they will update their strategies for endpoints.

    In our case, since we needed just a few things, we decided to make a completely new endpoint, using our secure logic instead of wc auth.

    Another bad thing is that you can get that token only if the user actually have a WordPress account and you can open up the modal that request for the user access + express acknowledge (like when you connect third party app with FB / Google)

    In our case the mobile app needed to get some WC data w/o the user need to have an account, that seems like an impossibile task with the current WC Rest API.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search