Get data from Woocommerce via server api
-
@orange said in Get data from Woocommerce via server api:
Yes token system is supposed to be generated as a session cookie.
Then why do you save it in a file?
Do you think consumer key and consumer secret codes can be compromised by hackers on a compiled plugin?
Anything can be compromised. Things that are embedded in the plugin (RSA keys, static passwords in a script) can be extracted more easily than dynamic data that comes from the server (eg. these tokens), but then both things might be trivially easy for anybody with a good knowledge of reverse-debugging.
-
@Christoph-Hart said in Get data from Woocommerce via server api:
@orange said in Get data from Woocommerce via server api:
Yes token system is supposed to be generated as a session cookie.
Then why do you save it in a file?
I just wanted to decrease server access, did it for multi instance uses especially. Also I didn't want to store password directly.
For example checking it once a day?
If the token is expired, it will pick a new one by the way.But maybe there is a better idea?
-
@Christoph-Hart said in Get data from Woocommerce via server api:
Not sure if I understand this particular authentication system, but isn't the token supposed to be generated as a session cookie?
- User logs in with credentials (email & password)
- Server returns a token when the login succeeds (might return a cached token if the requests are within a certain time).
- User uses this token for each subsequent URL request as proof of authentication (most likely in the header).
Yes, but it doesn't need to be saved as a cookie, you can just save it in a variable and pass it in the header with each request. I have this working now in HISE. The problem was a server configuration issue, HISE is fine :)
@orange said in Get data from Woocommerce via server api:
But maybe there is a better idea?
Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.
-
@d-healey said in Get data from Woocommerce via server api:
Probably no harm in generating one for each request, unless you think the user is going to be making lots of requests. I'll probably store mine in a file that will expire each day.
Which method can be used for each day expiration?
-
@orange You can add a timestamp inside your encrypted file and compare it to the current time when you read the file.
-
Ooo fancy stuff in the latest commit...
downloads are persistent when recompiling
What does this mean?
-
The
Server
class was owned by the scripting engine so when you recompile it will create a new server class and all downloads are gone. This was bad and now the server class has the same lifetime as the plugin itself. -
@Christoph-Hart Excellent!
-
@Christoph-Hart Compile errors unfortunately
../../../../../HISE/hi_components/floating_layout/FloatingTileFactoryMethods.cpp:358:43: error: ‘web’ is not a member of ‘MainToolbarIcons’ path.loadPathFromData(MainToolbarIcons::web, sizeof(MainToolbarIcons::web)); ^~~ ../../../../../HISE/hi_components/floating_layout/FloatingTileFactoryMethods.cpp:358:73: error: ‘web’ is not a member of ‘MainToolbarIcons’ path.loadPathFromData(MainToolbarIcons::web, sizeof(MainToolbarIcons::web));
-
Ah yes I forgot to commit this file. You can just comment these lines out, it shouldn't affect anything.
-
@Christoph-Hart Yep that worked. This server controller looks useful. Going to play around with it now.
-
@orange Have you had any luck getting user order data through JWT authorization? WooCommerce seems to block any user that isn't an admin.
I think we may be forced to use the consumer/secret key thingy!
-
@d-healey said in Get data from Woocommerce via server api:
@orange Have you had any luck getting user order data through JWT authorization? WooCommerce seems to block any user that isn't an admin.
Not yet, I tried lot's of thing but interestingly my server doesn't allow http header auth...
I think we may be forced to use the consumer/secret key thingy!
Yes it seems like that then. By the way don't forget to delete
Server.setHttpHeader
, because in this case woocommerce is blocking. -
@orange So how do we do it securely? Embedding keys in the binary seems risky. I'm also going to see if making custom endpoints will work.
-
@d-healey said in Get data from Woocommerce via server api:
@orange So how do we do it securely? Embedding keys in the binary seems risky. I'm also going to see if making custom endpoints will work.
If you won't create customers, create orders...etc with Woocommece API, you can give Read only permissions to the keys. So the keys can only be used for getting data. yes it is risky too but at least not on the website compromise level.
-
I guess Application Passwords Plugin is the alternative to JWT Authentication Plugin. Some people says it is much more easy to use, maybe this method won't be blocked.
-
By the way, you didn't try to get data with JWT header auth from Woocommerce REST API right?
JWT can be used for Wordpress REST API only.
And since every customer is a user at the same time, I think with Wordpress API you should get the user (customer) data. -
@orange I tried with both WooCommerce and Wordpress. JWT can be used with WooCommerce endpoints, but they block every user without admin rights. I can't see a way to get customer order details from the Wordpress API.
-
-
Sorry Christoph, somehow I missed your reply. Giving extra priviliages to the user didn't work for me, and seems like a hack anyway.
@orange I have found the solution, make your own API with custom endpoints. It's actually not too difficult, I found some good information on the wordpress website and YouTube.
Here is a custom plugin I just made that will get all of the downloadable file data for all of the customer's completed orders. It checks that the current user (via JWT for example) has the role of customer, I'll add more security later to make sure they have permission to download specific files etc. This is just a proof of concept and doesn't take arguments from HISE server calls yet.
<?php /** * Plugin Name: Custom API * Plugin URI: http://localhost/wordpress * Description: Custom REST API endpoints * Version: 1.0 * Author: David Healey */ function my_orders() { $args = [ 'status' => 'wc-completed', 'customer' => 'customer@example.com' ]; $orders = wc_get_orders($args); $data = []; foreach ($orders as $i => $order) { $items = $order->get_items(); $data[$i] = []; foreach($items as $j => $item) { $data[$i][$j] = $item->get_item_downloads(); } } return $data; } add_action('rest_api_init', function() { register_rest_route('my/v1', 'orders', [ 'methods' => 'GET', 'callback' => 'my_orders', 'permission_callback' => function () { return wc_current_user_has_role( 'customer' ); } ]); });
The API documentation was tricky to find, every Google search lead to the REST API instead of the plugin API. If you need it here it is - https://developer.woocommerce.com/