I'm using Wordpress + WooCommerce in combination with the WP-API as a backend for my mobile ecommerce App.
My goal is to offer some social login (via Facebook, Twitter, Google etc.) within the app to register/login and then use the WooCommerce API to receive e.g. all the orders of that authenticated user.
Currently my plan is:
Use some client SDK so that the user e.g. can login using his FB account
From step 1 I get e.g. the users name, email and FB ID which is sent to a custom endpoint for adding the user to the Wordpress DB (like https://github.com/royboy789/wp-api-social-login)
Create a custom endpoint for orders with WP-API (e.g.: .../orders)
Inside the endpoint function check wether the user is authenticated
If user is authenticated, the endpoint returns the user's orders using a WooCommerce API wrapper
(https://github.com/kloon/WooCommerce-REST-API-Client-Library)
But I'm struggling at #3 because I don't really know how to check wether the user is authenticated.
I thought about creating another endpoint that will contact the OAuth authorization server to check the user’s credentials using e.g. Facebook's access token. And if the check is valid, I would create a custom Access Token for my API using some hashing of the userID, email etc. which is sent back to the client app. Then this Access Token is used for every call to my API which then reads out the User ID from the hashed token and returns e.g. all the orders for this User.
But somehow this feels just not right. Especially because this way I'd create an endless living Access Token...
Once you have done #2, the HTTP response from WP will include the auth cookie: see https://github.com/royboy789/wp-api-social-login/blob/master/inc/social-routes.php#L31 in the sample pointed to by the question.
Not sure what HTTP library you are using in the app but if you save the cookies received in the response and just reuse them in all subsequent requests to the server then authentication should be taken care of: you won't need an extra check/access point, as the login/registration automatically logs the user in, and the standard WP cookie checks take care of the verification on new requests.
Related
I am just starting out with using the WP REST API.
For authentication, I use JSON Web Tokens.
The only question I have is how I can give users the possibility to register by themselves, since registering a user also requires an authentication key.
Since the user has not yet logged in, this key cannot yet be retrieved.
I came up with the following two options, but cannot figure out how to do either of them.
The application itself has an authorization key with which the request can be made.
Disabling authentication requirement for user creation.
If I'm looking at this in the wrong way, any answers are welcome!
Thanks!
If your application is a web page then the easiest is to do this separately from the WordPress REST API. WordPress has a web page http://aaa.bbb.ccc/wp-login.php?action=register that allows you to register new users. To enable this web page check the Dashboard -> Settings -> General -> Membership -> 'Anyone can register' option.
If your application is a mobile app then your mobile can just sent the same HTTP request that http://aaa.bbb.ccc/wp-login.php?action=register sends. I.E. a POST request with query parameter action=register with POST parameters user_email, user_login, wp-submit=Register.
If you really insists on doing this using the REST API I think the following will work. (Disclaimer: I have not actually implemented this.)
You will need to override the WordPress REST authentication. First create a new role with the capability 'create_users'. Second create a user with this role. Create a nonce that specifies that a new user is to be registered. When your app returns this nonce and the user credentials to the http://aaa.bbb.ccc/wp-json/wp/v2/users endpoint you should override the WordPress authentication to set the current user to the user you created with the role 'create_users'.
There is an app that wants to authenticate with my users using oAuth2.
So they open a window, with the authorize URL, and parameters (such as redirect uri)
Like: https://my-website.com/api/authLauncherauthorize?redirect=SOME_URI
Now I have my own firebase-login, and when the user logs in, I get their access token from firebase. Which is what I want to respond with.
However, in oAuth2 guides/explanations like https://aaronparecki.com/oauth-2-simplified/ I see I am supposed to return an authorization code, and I don't understand where can I get that from?
What I can do, is generate a bullshit code, pair it in the DB to the access token, and then in the "token" request, send the correct access token. Is that what I am supposed to do?
Just to be clear, this is my first time writing an oAuth2 service myself.
OAuth is a system that provides authenticated access to resources. This resource can be for example a user page or editing rights to that user page. So your goal is to provide access to permissions to the right people.
When someone logs in, they get a token. Your part is to generate that token however you want, may it be some form of userdata into base64 or completely random. Take this token and link it against permissions, like viewing a page, editing it or even simpler things like viewing the email of a user.
OAuth2 tokens and/or permissions should be revokable without deleting a user. You should not use OAuth2 to identify someone.
If I am understanding your question correctly:
User visits some website
User wants to register or login using your websites OAuth2
You redirect back to the original page and send your generated token
The page can access content on your site with this token
Assuming you are the Host Site, given a User who wants to connect a 3rd party application, then the flow would be like this:
User lands on site - Clicks Login with Github
User is redirected to Github site where they login and click "Authorize"
Github redirects user back to your site /authorize with an auth token.
Your site then passes that token back to the 3rd party API (github in this case) in exchange for an access token and refresh token.
You can then pass that Authorization token to an API endpoint to get details about it. If the token expires, you can use the refresh token to get a new Auth token. Both Tokens should be stored in your database for your user.
However writing that all out I realize you are asking how do you generate the Authorization token, so I'm guessing you're actually the 3rd party API in this example. So you would want to generate an Authorization token using a random generator. Since you are using firebase, you'll probably wanna try out their token generator: https://github.com/firebase/firebase-token-generator-node
There's also some more up-to-date info here I believe: https://firebase.google.com/docs/auth/admin/#create_a_custom_token
And like you said, you would store that in a database associated with the user, and then when the Host Site sends that user's auth token to your server, you exchange it for the Authorization token (and refresh token if requested).
It's also worth reading through how google does it, because you'd be doing something similar: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken
JWT is another option of generating tokens: https://jwt.io/
We have a custom app hosted in Firebase (Google's Backend as a service). We would like to use Shopify's authentication so the user doesn't have to create an account in the app as well as the Shopify store (where we require accounts).
The key: I need to have some mechanism (like an API) that I can use to have Shopify authenticate a user. (Assume the customer has already created an account in the Shopify store. Account creation will be handled by the normal Shopify process.)
I can create a page in my app to ask for email / pass. Is there some way to send this info (perhaps along with some sort of token generated from a private app) to authenticate the customer? I just need Shopify to confirm whether the email / pass is correct, so I can then 'login' the user into my Firebase app.
Any direction / thoughts / suggestions are greatly appreciated.
PS. Firebase offers a 'custom authentication' option, along with email, Google+, Facebook. The custom auth option requires sending user / pass to the authentication server, which in this case, would be Shopify.
EDIT: Based on the responses, edited to clarify that I need some way to authenticate the user in Shopify. Handling the custom auth into Firebase seems like a fairly straightforward task, once I receive some sort of signal from Shopify telling me the users email / pass is valid.
This is a classic use case for custom Auth with Firebase. You send email/pass to your backend, authenticate with shopify, on success create a custom token with the user's id (most likely using shopify's user id), send it back to the client which would signInWithCustomToken signing in to Firebase.
Customer logs in to Shopify
Logged in Customer has an ID
Use App Proxy in your App to accept this ID using a secure callback
Use the Shopify API to look up the customer with the secure ID
If customer is found, they are then authentic and can use your App
Why is that not a useful and simple pattern for you to use?
You should take a look to Shopify MultiPass. Although, you need Shopify Plus that is very expensive.
I am creating a mobile app for a WooCommerce website and have gotten to a stage where I want the user to login or signup to the WooCommerce website before they continue with a purchase.
I can create a new customer no problem but I am having trouble when trying to authenticate an existing customer. After looking at the rest api docs for WooCommerce, I haven't come across any endpoint that will allow an existing user to log in to their account. Is there any endpoint that will allow me to do this that isn't documented?
There might be other ways but what comes to my mind immediately is to use JWT Authentication for WP REST API plugin.
Using this plugin you can request for authentication on the server using the username and password. It will return a token if successful. Then use the token for checking if this user/customer is valid. If valid, use wc api to create an order for this customer.
I am creating a mobile app for a WooCommerce website and have gotten to a stage where I want the user to login or signup to the WooCommerce website before they continue with a purchase.
I can create a new customer no problem but I am having trouble when trying to authenticate an existing customer. After looking at the rest api docs for WooCommerce, I haven't come across any endpoint that will allow an existing user to log in to their account. Is there any endpoint that will allow me to do this that isn't documented?
There might be other ways but what comes to my mind immediately is to use JWT Authentication for WP REST API plugin.
Using this plugin you can request for authentication on the server using the username and password. It will return a token if successful. Then use the token for checking if this user/customer is valid. If valid, use wc api to create an order for this customer.