Get data from Woocommerce via server api

orange

@d-healey said in Get data from Woocommerce via server api:

But I can't use this because the secret key will not be secret.

Do you think it can be retrieved by the hackers? :)

d.healey

@orange Yes, my project is open source.

orange

@d-healey Now I am trying to use the token in header but I couldn't get it work too. There should be something missing...

d.healey

@orange Oo what format are you using for the header? I've tried these two

    Server.setHttpHeader("Authorization = Bearer " + token);
    Server.setHttpHeader("Authorization: Bearer " + token);

orange

@d-healey I used that one

    Server.setHttpHeader("Authorization: Bearer " + token);

I guess we are using same plugin :)

d.healey

@orange I've installed a REST API log plugin

{
    "data": {
        "code": "jwt_auth_no_auth_header",
        "message": "Authorization header not found.",
        "data": {
            "status": 403
        }
    },
    "headers": {
        "Allow": "POST"
    },
    "status": 403
}

So the header isn't being set, I will keep digging.

d.healey

@Christoph-Hart Any ideas? What format should the header be?

d.healey

The plot thickens...

Setting the content-type header, like this Content-Type: text/html works. Setting authorisation header like this Authorization: Bearer 123456 doesn't work.

I'm thinking it's something to do with my server configuration....

d.healey

Finally got the damn thing working. I'm using a xampp test server.

These are the things I did:

Followed config settings here - https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/#description
Added SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to apache config file: instructions here - https://stackoverflow.com/a/54729344/1901367
Also did what this guy said, don't know if it's necessary though - https://www.web-design-talk.co.uk/126/getting-htaccess-mod-rewrite-working-locally-with-xampp/

orange

@d-healey Oh yes, .htaccess file and wp-config file must be modified.

Is customer purchase call working?
I am trying to get user info but response is "Sorry, you are not allowed to list users." I think same header issue is here too.

I am using live server by the way.

var encryptionData;
Server.setBaseURL("https://website.com");

inline function onGetInfo_ButtonControl(component, value)
{
   if(value)
      {
         local LockerPW = "987654321";
            
         local FileDirectory = FileSystem.getFolder(FileSystem.UserPresets).getParentDirectory();
         encryptionData = FileDirectory.getChildFile("credentials.dat").loadEncryptedObject(LockerPW);
                  
         Server.setHttpHeader("Authorization: Bearer " + encryptionData.token);
            
         Server.callWithGET("wp-json/wp/v2/users", encryptionData.user_email, function(status, response)
         {
            local serv_resp = trace(response);
           
            Console.print("server response: " + serv_resp);
         });
        
      }      
};
Content.getComponent("GetInfo_Button").setControlCallback(onGetInfo_ButtonControl);

d.healey

Yes I modified htaccess but it didn't work on my testing server - xampp. I had to do the extra steps I put in my last post.

Christoph Hart

Not sure if I understand this particular authentication system, but isn't the token supposed to be generated as a session cookie?

1. User logs in with credentials (email & password)
2. Server returns a token when the login succeeds (might return a cached token if the requests are within a certain time).
3. User uses this token for each subsequent URL request as proof of authentication (most likely in the header).

orange

@Christoph-Hart Yes token system is supposed to be generated as a session cookie.

Wordpress REST API can use this token system (JWT Auth)
Woocommerce REST API only uses OAuth system (consumer key and consumer secret codes method)

Do you think consumer key and consumer secret codes can be compromised by hackers on a compiled plugin?

orange

@d-healey said in Get data from Woocommerce via server api:

Yes I modified htaccess but it didn't work on my testing server - xampp. I had to do the extra steps I put in my last post.

I applied that steps but my server system doesn't accept http header authenticaton. Keep digging...

Lindon

@orange said in Get data from Woocommerce via server api:

@Christoph-Hart Yes token system is supposed to be generated as a session cookie.

Wordpress REST API can use this token system (JWT Auth)
Woocommerce REST API only uses OAuth system (consumer key and consumer secret codes method)

Do you think consumer key and consumer secret codes can be compromised by hackers on a compiled plugin?

isn't

consumer key = user ID/email address
consumer secret code = password

?

orange

@Lindon said in Get data from Woocommerce via server api:

@orange said in Get data from Woocommerce via server api:

@Christoph-Hart Yes token system is supposed to be generated as a session cookie.

Wordpress REST API can use this token system (JWT Auth)
Woocommerce REST API only uses OAuth system (consumer key and consumer secret codes method)

Do you think consumer key and consumer secret codes can be compromised by hackers on a compiled plugin?

isn't

consumer key = user ID/email address
consumer secret code = password

?

Woocommerce doesn't alow to use it's REST API with directly using username and passwords while authentication. These two codes are generated within Woocommerce > Settings > Advanced > REST API > Add Key menu.

So your app will use these codes to use Woo REST API. You can give permissions Read, Write or both depending on your needs.

WooCommerce REST API Documentation - WP REST API v3

(woocommerce.github.io)

Christoph Hart

@orange said in Get data from Woocommerce via server api:

Yes token system is supposed to be generated as a session cookie.

Then why do you save it in a file?

Do you think consumer key and consumer secret codes can be compromised by hackers on a compiled plugin?

Anything can be compromised. Things that are embedded in the plugin (RSA keys, static passwords in a script) can be extracted more easily than dynamic data that comes from the server (eg. these tokens), but then both things might be trivially easy for anybody with a good knowledge of reverse-debugging.

orange

@Christoph-Hart said in Get data from Woocommerce via server api:

@orange said in Get data from Woocommerce via server api:

Yes token system is supposed to be generated as a session cookie.

Then why do you save it in a file?

I just wanted to decrease server access, did it for multi instance uses especially. Also I didn't want to store password directly.
For example checking it once a day?
If the token is expired, it will pick a new one by the way.

But maybe there is a better idea?

d.healey

@Christoph-Hart said in Get data from Woocommerce via server api:

Not sure if I understand this particular authentication system, but isn't the token supposed to be generated as a session cookie?

1. User logs in with credentials (email & password)
2. Server returns a token when the login succeeds (might return a cached token if the requests are within a certain time).
3. User uses this token for each subsequent URL request as proof of authentication (most likely in the header).

Yes, but it doesn't need to be saved as a cookie, you can just save it in a variable and pass it in the header with each request. I have this working now in HISE. The problem was a server configuration issue, HISE is fine :)

@orange said in Get data from Woocommerce via server api:

But maybe there is a better idea?

Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.

orange

@d-healey said in Get data from Woocommerce via server api:

Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.

Which method can be used for each day expiration?