The Woocommerce rest API requires authentication through a consumer key and a consumer secret to access any of its endpoints. I'm currently building a store frontend using Nuxt js and Vue and I really want to use the Woocoomerce API as a backend restful API to power my store - (get products, categories and the like).
Unfortunately I can't simply pass the consumer key and secret through my frontend to access woocommerce as it will give the frontend client full control over woocommerce so anyone who opens devtools and checks the secret and key can call wocommerce on sensitive endpoints I didn't intend it for.
There is a plugin called Public Woo API solves some of this problem but doesn't work for all endpoint I need (most expecially order). The only obvious solution I can think of is a way to remove authentication for some endpoints.
How do I even do that? I don't even know where to begin. Thanks.
Related
What harm can someone do when they have the woocommerce-api key that is normally stored in Wordpress itself? At the moment some endpoints in my front-end contains the WooCommerce API key.
I ma developing a mobile app with a wordpress backend that was developed by someone else and the person is unreachable. I have the usual Woocomerce membership plans built on the backend. The website works perfectly fine. The issue is this
I checked the REST API endpoints through 'discovery' and found all the usual endpoints, but my issue is how will i test the if the user has a membership plan via REST API. I have already wasted a lot of time figuring out the solution.
/wc/v3/memberships lists all the endpoints
/wc/v3/memberships/plans/ lists all the plans
when i make a call to all these endpoints, it gives me all the users which have memberships.
My question is how would i know if the current loggedin user has purchased a membership, there is no such specific endpoint to it, plus the docs are not very specific. They are vaugue. Good enough for a beginner but not for a production level.
This is the url which i am referring to, which i got from the "official" Woocomerce Membership website
https://skyverge.github.io/woocommerce-memberships-rest-api-docs/#get-user-memberships
Use this endpoint :
GET http://example.com/wp-json/wc/v3/memberships/members/
Just replace with current user id. you can get current user id through this endpoint :
GET http://example.com/wp-json/wp/v2/users/me
I am not a native speaker and can't think of a better title for this question. Feel free to edit it or suggest a better one.
I am trying to use woocommerce's REST API to update an order status. Currently, when an order is paid via direct bank transfer, a google sheet will be updated with the order ID and amount. I am trying to capture the order ID and update the corresponding order using the API. The simplest way I can think of is to execute something like myurl.com/myPHP.php?order_id=xxx when a new row is added to the google sheet. But the problem is, anyone can execute this php file and update the order status accidentally or maliciously. How to avoid this? What is the proper way to use the REST API to update order status?
WooCommerce has its REST API endpoints. The endpoint responsible for updating an order's data is protected: you can not use it if you are not authenticated.
There are a few built-in auth methods in WooCommerce REST API; you can learn more about them in the API reference:
https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication
In other words, if you won't provide the API credentials to users that may possibly abuse your API, you'll be fine.
From my understanding of the regular WSO2 API Manager product I could create multiple synapse-configurations and register them as (global or api specific) sequences by placing them in the proper directory.
I would then utilize the Sequence configuration capabilites on the "Manage screen" to apply different sequences to the request and response payloads of the backend.
I read the documentation at https://docs.wso2.com/display/APICloud/Key+Concepts#KeyConcepts-Sequences as it is not possible to add more but I wanted to ask specifically.
Is it at all possible to do this type of manipulation in the current version of public API cloud?
I have talked with the relevant teams and this is how you can add a sequence in the API Cloud. Although I mentioned about adding a sequence via the Gateway's carbon console (and said it was broken), WSO2 API Manager product is not a position to make it working (this is a known limitation). If I explain the reason in simple terms, to support it they will need to ship a lot of mediator UIs which will make the product similar to the WSO2 ESB. Following is what you can do.
Use WSO2 Developer Studio to create the sequence you want.https://docs.wso2.com/display/DVS371/Creating+ESB+Artifacts#CreatingESBArtifacts-Workingwithsequences
Go to API Gateway at https://gateway.api.cloud.wso2.com/carbon
You need to login to the gateway. Username is email#tenantDomain. If your email abc#gmail.com and tenant domain (or the organisation key is xyz) you need to give abc.gmail.com#xyz as the username (note the # in the email being replaced with a DOT). Go to "Manage" in the top level menu of API Cloud and you will be able to figure out your organisation key.
Go to Resources -> Browse menu and navigate to /_system/governance/apimgt/customsequences/ registry path. Upload your sequence to in, out or fault folders based on your requirement. This will be then available when you create APIs via the API Publisher.
Yes, it is possible. You have to follow the below steps.
Go to API Gateway at https://gateway.api.cloud.wso2.com/carbon
You need to login to the gateway. Username is email#tenantDomain. If your email abc#gmail.com and tenant domain (or the organisation key is xyz) you need to give abc.gmail.com#xyz as the username (note the # in the email being replaced with a DOT). Go to "Manage" in the top level menu of API Cloud and you will be able to figure out your organisation key.
After login, you can go to sequence menu and add a sequence. I tried these steps just now and realised there is a broken page at add sequence. We are in the process of fixing it. Will keep you updated.
Difference of API Cloud and API Manager standalone version is, you have to store the sequence in the registry for it to be available at the API Publishing time.
We'll be adding a doc on this at the following location soon.
https://docs.wso2.com/display/APICloud/About+WSO2+API+Cloud#AboutWSO2APICloud-CommonAPICloudusecases
I'm adding location to my wordpress plugin and wanted to use the foursquare public API. What i wanted to understand is how exactly that would work since my plugin will be installed on various system. As you can see the user doesn't need to be authenticated, so i could provide in the plugin our own client_id an client_secret to make calls to the api, but that would expose them to the public and some competitor could abuse that to break the rate limit. What's the best way to handle this?How does instagram work for example?I can use location search even if i'm not logged into foursquare, how do they do this? My idea was to proxy the call to our api and make the call from our api by adding our client_id/secret and have the user optionally insert his own, but is it really a bad idea hardcoding the id/secretin the plugin?
There is a way; each user of your plugin should get foursquare API credentials separately and fill it in the settings of the plugin (dashboard) to activate it.