Get data from Woocommerce via server api
-
I'm just getting my feet wet with Server calls to Woocommerce. Using JWT for secure authentication.
Apparently, WC API blocks requests from anyone who isn't an Admin to help secure webstore sensitive data. This is slightly annoying because a customer should be able to have access to their own account (products and downloads) once they are authenticated.
I found a function posted on JWT github that filters users and gives them read-only access to their own data, but I'm unsure where to implement the code.
https://github.com/conversionxl/customer-service-dashboard/issues/3/** * Add custom permissions to the WooCommerce REST API. */ function filter_woocommerce_rest_check_permissions($permission, $context, $object_id, $post_type) { $user = wp_get_current_user(); $roles = (array) $user->roles; // Allow the customer service role. if (in_array("customer_service", $roles)) { // Only allow read. if ($context === "read") { return true; } } return $permission; }; add_filter('woocommerce_rest_check_permissions', 'filter_woocommerce_rest_check_permissions', 10, 4);
Any wordpress / woo gurus around with some insight?
-
@dustbro not a guru, but I think this goes into your theme's function.php
-
@dustbro I think you can use this code with a Code Snippet Wordpress plugin. So even if you update your wordpress theme, this function will be executed.
But if you use Woocommerce License Manager plugin, you won't need these Woocommerce REST API calls. Why do you need to use it?
-
@orange I'm making a downloader and the Woocommerce License Manager plugin doesn't contain customer_id or download_url.
Those are only accessible via /wp-json/wc/v3/customers/<id> -
@dustbro I avoided the REST API entirely and created a custom wordpress plugin, this gives complete flexibility to pull from Wordpress, WooCommerce, and the license manager plugin I'm using (different one to Orange). The one you guys are using is great if you can access everything through REST but if you need more control you have to look elsewhere because it lacks an internal API.
-
@d-healey said in Get data from Woocommerce via server api:
created a custom wordpress plugin
That's my next step if this simple filter function doesn't work.
-
@dustbro It's really quite easy. The wordpress docs and YouTube will get you up and running pretty quickly. PHP is a little different from JS but if you know a function in JS that you want to use you can search for an equivalent PHP function and there usually is one.
-
@d-healey said in Get data from Woocommerce via server api:
@dustbro I avoided the REST API entirely and created a custom wordpress plugin, this gives complete flexibility to pull from Wordpress, WooCommerce, and the license manager plugin I'm using (different one to Orange). The one you guys are using is great if you can access everything through REST but if you need more control you have to look elsewhere because it lacks an internal API.
I'm on the edge of making a plugin too. My goal would be to create the license file onto the server and download it instead of making it in locally. For this, I'll need to access the user details and licenses that are in the license manager. So I imagine this is where having an internal API is necessary?
I don't know yet if it's viable but I'm trying to gather the information first... -
@ustk said in Get data from Woocommerce via server api:
download it instead of making it in locally
Why? That just seems like it will put more strain on your server.
-
@d-healey Yeah I see that issue, but I'm trying to figure out a better protection system. I know creating the license not on the computer is a part of the solution because this is what some are doing. Although I'm aware I might not be skilled enough to get it to work as efficiently :) Just exploring for now...
-
@ustk said in Get data from Woocommerce via server api:
this is what some are doing
Everyone gets cracked, don't follow the herd, try something different.
As far as doing things on the server vs doing things locally it probably doesn't make any difference. At some point your app is going to have an if statement that checks if the license is valid. This is the weak link that cannot be avoided.
-
@d-healey Yeah I know that but some people are not cracked and this is where they advise beginning... because at least you "only" have to obfuscate the license reading process, not the creation process. But obfuscation is very tricky and hard. This is a long road, but the if statement can be hard to find if done properly... I've just learnt it can, not how though...
-
My goal would be to create the license file onto the server and download it instead of making it in locally.
Use this PHP snippet a random guy posted on the JUCE forum:
https://forum.juce.com/t/create-tracktion-marketplace-key-file-via-php/13816/6
Then use the new ScriptUnlocker class in the plugin. This gives you the most robust copy protection system before going iLok (lol) with system identification and randomly distributed copy protection checks across the entire codebase - we've been using this system with PercX and Hexeract and it works great (except for that major Windows updates will mess up the machine ID so you will need to address that issue in some way that matches your security guidelines).
I know creating the license not on the computer is a part of the solution
Yes that is true. If you create the license on the server, you can use a private key for the creation that is not part of the plugin so unless a cracker replaces the embedded public key in your plugin with a rogue one and duplicates the server logic to create fake licenses you're safe (and that's a rather complicated procedure).
-
@dustbro said in Get data from Woocommerce via server api:
@orange I'm making a downloader and the Woocommerce License Manager plugin doesn't contain customer_id or download_url.
Those are only accessible via /wp-json/wc/v3/customers/<id>Will it download only? Or installer at the same time? I think only downloading the installer files might be confusing for the user because when the download is done, he might think the installation is done. So that means more support tickets :)
@d-healey said in Get data from Woocommerce via server api:
@dustbro I avoided the REST API entirely and created a custom wordpress plugin, this gives complete flexibility to pull from Wordpress, WooCommerce, and the license manager plugin I'm using (different one to Orange). The one you guys are using is great if you can access everything through REST but if you need more control you have to look elsewhere because it lacks an internal API.
I agree with David for not using the native Woocommerce REST API because of the security issues. But for building a custom WordPress plugin, I think it is not necessary.
Just thinking, what if we make a .JSON file that has all of the download links, product images, product versions...etc. And GET it? Will it be a security hole? So in this way, you won't need Woocommerce REST API calls, and also customer_id too.
-
@christoph-hart Oh great! I remember you mentioned the ScriptUnlocker already, I have to dig this...
Yeah, public/private key is, well, the key to success :) -
@orange said in Get data from Woocommerce via server api:
what if we make a .JSON file
I'm trying to avoid manual file creation cause I'm lazy :beaming_face_with_smiling_eyes:
I have a prototype that works with my Admin account that populates a panel with available downloads for each product. -
@orange said in Get data from Woocommerce via server api:
Just thinking, what if we make a .JSON file that has all of the download links, product images, product versions...etc
But if you want to customise any of that data or perform server side operations on it the REST API can't help you. This was my main problem with using REST and why I went with a custom plugin.
-
@orange @d-healey Would you guys be able to help me with a PHP example involving jwt?
I'm not well versed in PHP so I've been going over the tutorial at https://www.w3schools.com/php/ all day. I'm successfully using HISE to communicate with woo license manager endpoints like @orange so hopefully it's helpful that I'm not starting from the ground up.Using postman.co, I can POST to my wordpress JWT endpoint (/wp-json/jwt-auth/v1/token) and get a response:
{ "token": "xxxxxAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.xxxxxxodHRwczpcL1wvd29yZHByZXNzLmtvcm5lZmYuY28iLCJpYXQiOjE2NTEwMDI5NjIsIm5iZiI6MTY1MTAwMjk2MiwiZXhwIjoxNjUxNjA3NzYyLCJkYXRhIjp7InVzZXIiOnsiaWQiOiIxIn19fQ.xxxxxxPb9vASKhLm5Vgp0zxS2acm-JgM9aJOvDf0Q", "user_email": "xxxxxxxxxxx@xxxxx.xx", "user_nicename": "dankorneff", "user_display_name": "dankorneff" }
What is the proper way to make a POST call in PHP and store/use this token in the http header?
-
@dustbro
What is the proper way to make a POST call in PHP
You don't. The call is made from the client (HISE in our case) and is processed by the server.
If you're making the call from HISE you need to use
Server.setHttpHeader(["Authorization: Bearer " + token]);
before you make the call. Then you use eitherServer.callWithGET()
orServer.callWithPOST()
as needed; -
@dustbro said in Get data from Woocommerce via server api:
What is the proper way to make a POST call in PHP and store/use this token in the http header?
I haven't done this in PHP yet. Why do you need that?