Get data from Woocommerce via server api

clumsybear

May I ask in all respect why bother with this stuff at all when it can get stripped away easily by any script kiddy looking to get props from the scene release community?

It just seems like a lot of work for something that’s not secure at all.

No offense, just want to know if I missed something.

d.healey

@clumsybear It can't be stripped away easily, this isn't like a Kontakt library, however as with all software it is certainly crackable.

Second, if you link software to your server then the client app is only half of the equation. If you remove the authorization from the client app then the server will refuse to talk with it. That means no downloads/support/updates for the end user.

clumsybear

Got you. Does this also mean that the user needs to be connected to the web constantly to be able to use your product, or is it a one time thing?

I'm aware that this is not like a Kontakt library. Anyways, I doubt that it is secure in the sense that your product can't be used without communicating to your server. JUCE products without ilok protection have a history of getting cracked within a couple of hours after release.

I get the update and support situation. imo this is the only way to really secure your software.

Of course I'm open to change my mind about that, time will tell.
Wish you good luck and all the best with it :)

orange

@clumsybear said in Get data from Woocommerce via server api:

May I ask in all respect why bother with this stuff at all when it can get stripped away easily by any script kiddy looking to get props from the scene release community?

It just seems like a lot of work for something that’s not secure at all.

No offense, just want to know if I missed something.

Of course in computer world almost everything is crackable. Even iLok was cracked. But for this case, just thinking "the crackablity" will be a very shallow thought. Plus to David,

• If you have resellers who are selling your software from their website, you need to pick and bring the customers into your database. So you can easily upsell other products (because it's much more easier to sell a product to a previous customer), give rewards to them or apply any other marketing strategies.

• Offline authorization can look "outdated" for lot's of customers. And being "outdated" is a bad image for a software company, especially in music software.

• Some customers will want to sell the license to other people, for this case you need to arrange the license management well. Online authorization is the one and only choice for this. Otherwise you don't know if your software was sold how many people after just one purchase. Even some audio plugin companies are charging for license transfer fee.

I hope that makes sense.

d.healey

@clumsybear said in Get data from Woocommerce via server api:

Got you. Does this also mean that the user needs to be connected to the web constantly to be able to use your product, or is it a one time thing?

That's up to you. My intention is that the user doesn't need to be connected at all to use it, only initially to activate their license and when they want to check for updates.

Christoph Hart

@clumsybear said in Get data from Woocommerce via server api:

JUCE products without ilok protection have a history of getting cracked within a couple of hours after release.

Depends on the company size and (a bit of) luck, but that's definitely not my experience. As long as your software needs to be reverse engineered using a reverse debugger, chances are huge that you fly under the radar of the people with the ability to do so.

clumsybear

@Christoph-Hart well concerning luck, I guess it has to do with demand, I guess if nobody cares about the software there is no point in cracking it, right?

are you referring to auddict products concerning your experience with this stuff? what copy protection scheme do Hexeract and PercX use?

Is there any audio software that does not need to use a reverse debugger to be cracked, of course if they are protected that is?

Christoph Hart

Both products use the native (C++) copy protection of HISE which offers more or less the same security as a properly implemented copy protection system with HiseScript and server calls.

d.healey

Is there a way to call a REST API function from within PHP without making an internal REST request? For example in my custom end point I want to call the license manager plugin's get_current_user_licenses function.

Dan Korneff

I'm just getting my feet wet with Server calls to Woocommerce. Using JWT for secure authentication.
Apparently, WC API blocks requests from anyone who isn't an Admin to help secure webstore sensitive data. This is slightly annoying because a customer should be able to have access to their own account (products and downloads) once they are authenticated.
I found a function posted on JWT github that filters users and gives them read-only access to their own data, but I'm unsure where to implement the code.
https://github.com/conversionxl/customer-service-dashboard/issues/3

/**
 * Add custom permissions to the WooCommerce REST API.
 */
function filter_woocommerce_rest_check_permissions($permission, $context, $object_id, $post_type)
{
    $user = wp_get_current_user();
    $roles = (array) $user->roles;

    // Allow the customer service role.
    if (in_array("customer_service", $roles)) {
        // Only allow read.
        if ($context === "read") {
            return true;
        }
    }

    return $permission;
};

add_filter('woocommerce_rest_check_permissions', 'filter_woocommerce_rest_check_permissions', 10, 4);

Any wordpress / woo gurus around with some insight?

Matt_SF

@dustbro not a guru, but I think this goes into your theme's function.php

orange

@dustbro I think you can use this code with a Code Snippet Wordpress plugin. So even if you update your wordpress theme, this function will be executed.

But if you use Woocommerce License Manager plugin, you won't need these Woocommerce REST API calls. Why do you need to use it?

Dan Korneff

@orange I'm making a downloader and the Woocommerce License Manager plugin doesn't contain customer_id or download_url.
Those are only accessible via /wp-json/wc/v3/customers/<id>

d.healey

@dustbro I avoided the REST API entirely and created a custom wordpress plugin, this gives complete flexibility to pull from Wordpress, WooCommerce, and the license manager plugin I'm using (different one to Orange). The one you guys are using is great if you can access everything through REST but if you need more control you have to look elsewhere because it lacks an internal API.

Dan Korneff

@d-healey said in Get data from Woocommerce via server api:

created a custom wordpress plugin

That's my next step if this simple filter function doesn't work.

d.healey

@dustbro It's really quite easy. The wordpress docs and YouTube will get you up and running pretty quickly. PHP is a little different from JS but if you know a function in JS that you want to use you can search for an equivalent PHP function and there usually is one.

ustk

@d-healey said in Get data from Woocommerce via server api:

@dustbro I avoided the REST API entirely and created a custom wordpress plugin, this gives complete flexibility to pull from Wordpress, WooCommerce, and the license manager plugin I'm using (different one to Orange). The one you guys are using is great if you can access everything through REST but if you need more control you have to look elsewhere because it lacks an internal API.

I'm on the edge of making a plugin too. My goal would be to create the license file onto the server and download it instead of making it in locally. For this, I'll need to access the user details and licenses that are in the license manager. So I imagine this is where having an internal API is necessary?
I don't know yet if it's viable but I'm trying to gather the information first...

d.healey

@ustk said in Get data from Woocommerce via server api:

download it instead of making it in locally

Why? That just seems like it will put more strain on your server.

ustk

@d-healey Yeah I see that issue, but I'm trying to figure out a better protection system. I know creating the license not on the computer is a part of the solution because this is what some are doing. Although I'm aware I might not be skilled enough to get it to work as efficiently :) Just exploring for now...

d.healey

@ustk said in Get data from Woocommerce via server api:

this is what some are doing

Everyone gets cracked, don't follow the herd, try something different.

As far as doing things on the server vs doing things locally it probably doesn't make any difference. At some point your app is going to have an if statement that checks if the license is valid. This is the weak link that cannot be avoided.