rest api - How to handle Woocommerce API credentials

admin管理员组

文章数量:1122832

I'm currently working on an Angular app with a headless Wordpress as a backend. I'm trying to figure out a way to integrate E-Commerce into that and WooCommerce seams the be the way to go. I'm working with the REST API or wordpress and using this JWT plugin as authentication.

My current concern is with the security of the keys i'm getting from woocommerce. I'm suppose to use those keys ( public and private ) to authenticate my "Application" to the woocommerce platform. However, is saving those credentials client side really the only way to go? This seams like a huge red flag for me since someone could simply take those credentials and use them somewhere else.

I was wondering if that was the correct way to go. I though of maybe creating alternatives routes to handle the woocommerce process but it demand a lot more work than I can offer right now. They are just laying there, in the plain Javascript. It makes me wonder if I could just scan the web for keys to use...

I've seen countless tutorial on the subject but none seams to take into account that those keys can be taken by someone and use somewhere else.

Any pointer would help.

I'm currently working on an Angular app with a headless Wordpress as a backend. I'm trying to figure out a way to integrate E-Commerce into that and WooCommerce seams the be the way to go. I'm working with the REST API or wordpress and using this JWT plugin as authentication.

My current concern is with the security of the keys i'm getting from woocommerce. I'm suppose to use those keys ( public and private ) to authenticate my "Application" to the woocommerce platform. However, is saving those credentials client side really the only way to go? This seams like a huge red flag for me since someone could simply take those credentials and use them somewhere else.

I was wondering if that was the correct way to go. I though of maybe creating alternatives routes to handle the woocommerce process but it demand a lot more work than I can offer right now. They are just laying there, in the plain Javascript. It makes me wonder if I could just scan the web for keys to use...

I've seen countless tutorial on the subject but none seams to take into account that those keys can be taken by someone and use somewhere else.

Any pointer would help.

• woocommerce-offtopic
• rest-api

Share Improve this question asked Apr 23, 2020 at 23:37 NicolasNicolas 11155 bronze badges 3

• For what purpose you have to store Secret key at client-side? Just curious. – gmatta Commented Apr 24, 2020 at 3:04
• @Gangesh it is suppose to authenticate my app to woocommerce. In any other context, I would store the key in my backend and my backend would call woocommerce using a curl request. In my case, Woocommerce / wordpress is my backend. – Nicolas Commented Apr 24, 2020 at 11:11
• If you are using authentication, which ofcourse will check user rights in WP, then you just have to use nonce with your request and it should work. I used that with WP users and Woocommerce orders. – gmatta Commented Apr 25, 2020 at 16:32

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 0

For anyone wondering the same thing, it turns out that you can use the woocommerce API with any normal authentication methods.

WooCommerce includes two ways to authenticate with the WP REST API. It is also possible to authenticate using any WP REST API authentication plugin or method.

This means I was able to use the athentication method provided by the JWT plugin to authenticate the request.

This works fine until you want to use a the product API publicly. For some reason, there is no way to use the woocommerce api without authentication.

As it turns out, the products are stored as simple post in wordpress. It is possible to access them using the standar wordpress REST api using the following route.

/wp-json/wp/v2/product
/wp-json/wp/v2/product/<product id>

Those API endpoints don't need authentication.

One of those alternative routes that you talked about earlier is using relatively new feature in woocommerce called Woocommerce Store API for the parts of the app that don't need authentication, hence neglecting the storing of key/secrets. I was also concerned about the api key/secrets until I came across this api. The fantastic feature of this api is that, it is made to view things un-authenticated. You can find the documentation on this github link.

本文标签： rest apiHow to handle Woocommerce API credentials