What harm can someone do when they have the woocommerce-api key that is normally stored in Wordpress itself? At the moment some endpoints in my front-end contains the WooCommerce API key.
Related
The Woocommerce rest API requires authentication through a consumer key and a consumer secret to access any of its endpoints. I'm currently building a store frontend using Nuxt js and Vue and I really want to use the Woocoomerce API as a backend restful API to power my store - (get products, categories and the like).
Unfortunately I can't simply pass the consumer key and secret through my frontend to access woocommerce as it will give the frontend client full control over woocommerce so anyone who opens devtools and checks the secret and key can call wocommerce on sensitive endpoints I didn't intend it for.
There is a plugin called Public Woo API solves some of this problem but doesn't work for all endpoint I need (most expecially order). The only obvious solution I can think of is a way to remove authentication for some endpoints.
How do I even do that? I don't even know where to begin. Thanks.
New to woocommerce ,i develop a sale file app , i decide to use woocommerce rest API i can show products
/wc-api/v2/products
I know how can add to order
/wc-api/v2/orders
How can add product to cart and checkout and connect to bank gateway?
The cart is part of a session and is saved in the MySQL table wp_woocommerce_sessions. This table is accessed using a WC_Session_Handler object. AFAIK the WooCommerce REST API does not provide access to WC_Session_Handler objects.
I don't understand exactly what you are trying to do but if you want to access the cart through the REST API I think you will need to implement your own REST controller for the wp_woocommerce_sessions table. This isn't that difficult to do as you can modify one of the existing WooCommerce REST controllers to work with WC_Session_Handler objects to access the wp_woocommerce_sessions table.
But, beware a WooCommerce session is bound to a browser session through cookies and you need to handle that binding.
Please help understanding what's the purpose of woocommerce rest api wrapper.
Since we can access the Woocommerce Rest Api directly by calling endpoints from front end framework like reat/angular, what's the purpose for different Woocommerce Rest Api wrapper like for python, node.js ,php?
The purpose is providing, supported way (by woocommerce team), for servers/apps on those languages to interact with the woocommerce store.
Examples:
Aliexpress web scraper in python to collect the latest products and publish them to your woocommerce store.
Node.js bitcoin client to track bitcoin blockchain for payments received on store address and update orders accordingly.
Integrate your POS in Java to the woocommerce store.
I hope this explains a little bit.
;-)
I am building a webshop with React, Wordpress v4 and Woocommerce Rest api v2.
I am a bit confused on how to proceed with authentication. I understand that for some requests like place an order or create a new product I need to authenticate.
But I also need to be able to just retrieve all products for a customer who visits the site for the first time and just wants to browse through all our products.
What is the best practice here?
My thoughts are:
Create a public, separate layer with PHP or Node which securely stores the Woocommerce API keys and provides public endpoints (only GET, i.e. GET /products)
Access those endpoints via JS/React and render the products
Create another separate layer for placing orders which requires the costumer to authenticate (i.e. POST /orders)
Also, instead of adding a separate layer I could use the Wordpress function add_action( 'rest_api_init',...
Is there a better way to do it or am I missing something? Or can I retrieve the Woocommerce Products somehow via the Wordpress API endpoints without api keys?
Okay, somehow I was thinking the wrong way. As wordpress lists all products which were created in woocommerce as a regular Wordpress post with post-type product, I just have to make a request to the Wordpress API (NOT the Woocommerce API!), in my example:
http://laflor.wordpress.local/wp-json/wp/v2/product
From my understanding of the regular WSO2 API Manager product I could create multiple synapse-configurations and register them as (global or api specific) sequences by placing them in the proper directory.
I would then utilize the Sequence configuration capabilites on the "Manage screen" to apply different sequences to the request and response payloads of the backend.
I read the documentation at https://docs.wso2.com/display/APICloud/Key+Concepts#KeyConcepts-Sequences as it is not possible to add more but I wanted to ask specifically.
Is it at all possible to do this type of manipulation in the current version of public API cloud?
I have talked with the relevant teams and this is how you can add a sequence in the API Cloud. Although I mentioned about adding a sequence via the Gateway's carbon console (and said it was broken), WSO2 API Manager product is not a position to make it working (this is a known limitation). If I explain the reason in simple terms, to support it they will need to ship a lot of mediator UIs which will make the product similar to the WSO2 ESB. Following is what you can do.
Use WSO2 Developer Studio to create the sequence you want.https://docs.wso2.com/display/DVS371/Creating+ESB+Artifacts#CreatingESBArtifacts-Workingwithsequences
Go to API Gateway at https://gateway.api.cloud.wso2.com/carbon
You need to login to the gateway. Username is email#tenantDomain. If your email abc#gmail.com and tenant domain (or the organisation key is xyz) you need to give abc.gmail.com#xyz as the username (note the # in the email being replaced with a DOT). Go to "Manage" in the top level menu of API Cloud and you will be able to figure out your organisation key.
Go to Resources -> Browse menu and navigate to /_system/governance/apimgt/customsequences/ registry path. Upload your sequence to in, out or fault folders based on your requirement. This will be then available when you create APIs via the API Publisher.
Yes, it is possible. You have to follow the below steps.
Go to API Gateway at https://gateway.api.cloud.wso2.com/carbon
You need to login to the gateway. Username is email#tenantDomain. If your email abc#gmail.com and tenant domain (or the organisation key is xyz) you need to give abc.gmail.com#xyz as the username (note the # in the email being replaced with a DOT). Go to "Manage" in the top level menu of API Cloud and you will be able to figure out your organisation key.
After login, you can go to sequence menu and add a sequence. I tried these steps just now and realised there is a broken page at add sequence. We are in the process of fixing it. Will keep you updated.
Difference of API Cloud and API Manager standalone version is, you have to store the sequence in the registry for it to be available at the API Publishing time.
We'll be adding a doc on this at the following location soon.
https://docs.wso2.com/display/APICloud/About+WSO2+API+Cloud#AboutWSO2APICloud-CommonAPICloudusecases