Get data from Woocommerce via server api

d.healey

So I'm finally at the stage where I'm tinkering with the server API. I want to do something simple, I want my user to provide their login details to my plugin, I send them up to my server, and get back a list of the things they've bought from me.

I'm using the JWT Authentication plugin to get the initial authorization token, this works fine. But when I query a WooCommerce endpoint I get a 401. Everything I find online wants me to pass a public and secret REST API key to WooCommerce with my requests, but I'm building an open source plugin. How do I keep my secret key secret when anyone can view the source?

orange

@d-healey For example, to retrieve product info you can use below format. (with a button named "Get_Product_Info")

Server.setBaseURL("https://yourwebsite.com");

inline function onGet_Product_InfoControl(component, value)
{
  if(value)
      {

         Server.callWithGET("/wp-json/wc/v3/products/YourProductID?consumer_key=123456789&consumer_secret=123456789", "", function(status, response)         
         {          
            local v = trace(response);           
            Console.print("heres back from the server:" + v);        
         });        
      }
};


Content.getComponent("Get_Product_Info").setControlCallback(onGet_Product_InfoControl);

orange

For consumer key and consumer secret, go to Woocommerce > Settings > Advanced > REST API > Add Key

These keys will be your credentials for getting data.

https://woocommerce.github.io/woocommerce-rest-api-docs/?shell#authentication

d.healey

@orange Re-read my post :p Can't put secret key in an open source project and expect it to stay secret.

orange

@d-healey I understand, but the title says Woocommerce, not Wordpress

Let me explain, for username and password authentication JWTAuth method is a one way to use. It's ok. But for getting which customer bought which product:

• First choice, like you said in title, you can use Woocommerce REST API. And Woocommerce REST API doesn't use JWT Authentication. It uses it's own consumer key and consumer secret method (called OAuth).

• Second choice, if you want to use the token anyway, then you need to go with Wordpress REST API ;)

d.healey

@orange

In the WooCommerce docs it says

WooCommerce includes two ways to authenticate with the WP REST API. It is also possible to authenticate using any WP REST API authentication plugin or method.

So I thought that meant I could use the JWT to access WooCommerce endpoints too.

Second choice, if you want to use the token anyway, then you need to go with Wordpress REST API

Yes this is what I want, how can I get the WooCommerce orders using the token?

orange

@d-healey said in Get data from Woocommerce via server api:

Yes this is what I want, how can I get the WooCommerce orders using the token?

I haven't tried that, but you need to use the token in the header;
https://docs.hise.audio/scripting/scripting-api/server/index.html#sethttpheader

Actually I think you don't need this. Because if the username and password is correct, the system will provide the token. If not, it will give error. After checking the JWT Authentication, then you don't need to use the token, because there is an easier way with woocommerce REST API. But it is IMO.

d.healey

@orange

I haven't tried that, but you need to use the token in the header;

I've tried this but it doesn't seem to be working, however it doesn't seem to be working with regular wordpress endpoints either so I think I need to check that I@m using JWT correctly first.

there is an easier way with woocommerce REST API.

But I can't use this because the secret key will not be secret.

orange

@d-healey said in Get data from Woocommerce via server api:

But I can't use this because the secret key will not be secret.

Do you think it can be retrieved by the hackers? :)

d.healey

@orange Yes, my project is open source.

orange

@d-healey Now I am trying to use the token in header but I couldn't get it work too. There should be something missing...

d.healey

@orange Oo what format are you using for the header? I've tried these two

    Server.setHttpHeader("Authorization = Bearer " + token);
    Server.setHttpHeader("Authorization: Bearer " + token);

orange

@d-healey I used that one

    Server.setHttpHeader("Authorization: Bearer " + token);

I guess we are using same plugin :)

d.healey

@orange I've installed a REST API log plugin

{
    "data": {
        "code": "jwt_auth_no_auth_header",
        "message": "Authorization header not found.",
        "data": {
            "status": 403
        }
    },
    "headers": {
        "Allow": "POST"
    },
    "status": 403
}

So the header isn't being set, I will keep digging.

d.healey

@Christoph-Hart Any ideas? What format should the header be?

d.healey

The plot thickens...

Setting the content-type header, like this Content-Type: text/html works. Setting authorisation header like this Authorization: Bearer 123456 doesn't work.

I'm thinking it's something to do with my server configuration....

d.healey

Finally got the damn thing working. I'm using a xampp test server.

These are the things I did:

Followed config settings here - https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/#description
Added SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to apache config file: instructions here - https://stackoverflow.com/a/54729344/1901367
Also did what this guy said, don't know if it's necessary though - https://www.web-design-talk.co.uk/126/getting-htaccess-mod-rewrite-working-locally-with-xampp/

orange

@d-healey Oh yes, .htaccess file and wp-config file must be modified.

Is customer purchase call working?
I am trying to get user info but response is "Sorry, you are not allowed to list users." I think same header issue is here too.

I am using live server by the way.

var encryptionData;
Server.setBaseURL("https://website.com");

inline function onGetInfo_ButtonControl(component, value)
{
   if(value)
      {
         local LockerPW = "987654321";
            
         local FileDirectory = FileSystem.getFolder(FileSystem.UserPresets).getParentDirectory();
         encryptionData = FileDirectory.getChildFile("credentials.dat").loadEncryptedObject(LockerPW);
                  
         Server.setHttpHeader("Authorization: Bearer " + encryptionData.token);
            
         Server.callWithGET("wp-json/wp/v2/users", encryptionData.user_email, function(status, response)
         {
            local serv_resp = trace(response);
           
            Console.print("server response: " + serv_resp);
         });
        
      }      
};
Content.getComponent("GetInfo_Button").setControlCallback(onGetInfo_ButtonControl);

d.healey

Yes I modified htaccess but it didn't work on my testing server - xampp. I had to do the extra steps I put in my last post.

Christoph Hart

Not sure if I understand this particular authentication system, but isn't the token supposed to be generated as a session cookie?

1. User logs in with credentials (email & password)
2. Server returns a token when the login succeeds (might return a cached token if the requests are within a certain time).
3. User uses this token for each subsequent URL request as proof of authentication (most likely in the header).