Get data from Woocommerce via server api

d.healey

@Christoph-Hart said in Get data from Woocommerce via server api:

Not sure if I understand this particular authentication system, but isn't the token supposed to be generated as a session cookie?

1. User logs in with credentials (email & password)
2. Server returns a token when the login succeeds (might return a cached token if the requests are within a certain time).
3. User uses this token for each subsequent URL request as proof of authentication (most likely in the header).

Yes, but it doesn't need to be saved as a cookie, you can just save it in a variable and pass it in the header with each request. I have this working now in HISE. The problem was a server configuration issue, HISE is fine :)

@orange said in Get data from Woocommerce via server api:

But maybe there is a better idea?

Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.

orange

@d-healey said in Get data from Woocommerce via server api:

Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.

Which method can be used for each day expiration?

d.healey

@orange You can add a timestamp inside your encrypted file and compare it to the current time when you read the file.

d.healey

Ooo fancy stuff in the latest commit...

downloads are persistent when recompiling

What does this mean?

Christoph Hart

The Server class was owned by the scripting engine so when you recompile it will create a new server class and all downloads are gone. This was bad and now the server class has the same lifetime as the plugin itself.

d.healey

@Christoph-Hart Excellent!

d.healey

@Christoph-Hart Compile errors unfortunately

../../../../../HISE/hi_components/floating_layout/FloatingTileFactoryMethods.cpp:358:43: error: ‘web’ is not a member of ‘MainToolbarIcons’
   path.loadPathFromData(MainToolbarIcons::web, sizeof(MainToolbarIcons::web));
                                           ^~~
../../../../../HISE/hi_components/floating_layout/FloatingTileFactoryMethods.cpp:358:73: error: ‘web’ is not a member of ‘MainToolbarIcons’
   path.loadPathFromData(MainToolbarIcons::web, sizeof(MainToolbarIcons::web));

Christoph Hart

Ah yes I forgot to commit this file. You can just comment these lines out, it shouldn't affect anything.

d.healey

@Christoph-Hart Yep that worked. This server controller looks useful. Going to play around with it now.

d.healey

@orange Have you had any luck getting user order data through JWT authorization? WooCommerce seems to block any user that isn't an admin.

I think we may be forced to use the consumer/secret key thingy!

orange

@d-healey said in Get data from Woocommerce via server api:

@orange Have you had any luck getting user order data through JWT authorization? WooCommerce seems to block any user that isn't an admin.

Not yet, I tried lot's of thing but interestingly my server doesn't allow http header auth...

I think we may be forced to use the consumer/secret key thingy!

Yes it seems like that then. By the way don't forget to delete Server.setHttpHeader, because in this case woocommerce is blocking.

d.healey

@orange So how do we do it securely? Embedding keys in the binary seems risky. I'm also going to see if making custom endpoints will work.

orange

@d-healey said in Get data from Woocommerce via server api:

@orange So how do we do it securely? Embedding keys in the binary seems risky. I'm also going to see if making custom endpoints will work.

If you won't create customers, create orders...etc with Woocommece API, you can give Read only permissions to the keys. So the keys can only be used for getting data. yes it is risky too but at least not on the website compromise level.

orange

I guess Application Passwords Plugin is the alternative to JWT Authentication Plugin. Some people says it is much more easy to use, maybe this method won't be blocked.

orange

By the way, you didn't try to get data with JWT header auth from Woocommerce REST API right?
JWT can be used for Wordpress REST API only.
And since every customer is a user at the same time, I think with Wordpress API you should get the user (customer) data.

d.healey

@orange I tried with both WooCommerce and Wordpress. JWT can be used with WooCommerce endpoints, but they block every user without admin rights. I can't see a way to get customer order details from the Wordpress API.

Christoph Hart

Have you tried this:

https://wordpress.stackexchange.com/questions/329560/jwt-on-woocommerce-cannot-work-with-customer-role-user

d.healey

Sorry Christoph, somehow I missed your reply. Giving extra priviliages to the user didn't work for me, and seems like a hack anyway.

@orange I have found the solution, make your own API with custom endpoints. It's actually not too difficult, I found some good information on the wordpress website and YouTube.

Here is a custom plugin I just made that will get all of the downloadable file data for all of the customer's completed orders. It checks that the current user (via JWT for example) has the role of customer, I'll add more security later to make sure they have permission to download specific files etc. This is just a proof of concept and doesn't take arguments from HISE server calls yet.

<?php
/**
 * Plugin Name: Custom API
 * Plugin URI: http://localhost/wordpress
 * Description: Custom REST API endpoints
 * Version: 1.0
 * Author: David Healey
*/

function my_orders() {

	$args = [
		'status' => 'wc-completed',
		'customer' => 'customer@example.com'
	];

	$orders = wc_get_orders($args);

	$data = [];

	foreach ($orders as $i => $order) {
	
		$items = $order->get_items();
				
		$data[$i] = [];
		
		foreach($items as $j => $item) {
			$data[$i][$j] = $item->get_item_downloads();
		}
	}

	return $data;
}

add_action('rest_api_init', function() {
	register_rest_route('my/v1', 'orders', [
        'methods' => 'GET',
		'callback' => 'my_orders',
    	'permission_callback' => function () {
		     return wc_current_user_has_role( 'customer' );
    	}
    ]);
});	

The API documentation was tricky to find, every Google search lead to the REST API instead of the plugin API. If you need it here it is - https://developer.woocommerce.com/

orange

@d-healey Thank you for the info. I'll check that out!

orange

I was struggling with HTTP JWT token authentication for API requests. I edited .htaccess and wp-config files. Taking tokens was fine but http header authentication still was not working.

I've found the real cause that is Wordfence Security plugin for Wordpress. The Firewall was blocking the API requests.

So, I disabled Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps option in Firewall Options of Wordfence, and then the issue is solved.