Advanced WooCommerce Development

Preserve Your Code: Zero in on Error Sources with Automated Testing
A Primer to Automated Testing
Testing Environment Setup: The Docker Shortcut
PHPUNIT.xml and Boostrap.php
Writing PHPUnit Tests for WordPress
Advanced Automated Testing Trickery
Generating Code Coverage Reports
A Primer to Frontend testing in WordPress
Testing Javascript with Jest in WordPress
Testing WordPress Sites with Backstop
Discover Woocommerce’s CRUD Core: Quicker Coding with WC_Data
How to Navigate this Course
WC_Data Overview
Quiz:
Data Overview
WC_Data and Data Storage/Manipulation
Quiz:
Data Storage/Manipulation
WC_Data Data Stores
Quiz:
WC_Data: Datastores
WC_Data Family Trees
Quiz:
WC_Data: Family Trees
WC_Data Filter and Action Hooks
Quiz:
WC_Data: Filters and Actions
Implementing Custom WC_Data
Quiz:
WC_Data: Custom_Data
Implementing Custom Data Stores
Quiz:
WC_Data:Custom Stores
Connect Your Store to the World: Learn the REST API and Webhooks
WooCommerce REST API and Webhook Primer
Quiz:
REST and Webhook Primer
WC REST and Webhook Security
Quiz:
Rest and Webhook Security
Rest and Webhook Processes
Quiz:
Rest and Webhook Processes
Use Case: Connecting a WooCommerce Store to an MRP systeym
Quiz:
Use Case MRP
Use Case: Connecting a WooCommerce Store to a Mobile App
Quiz:
Use Case: Mobile App
Specialize Your Shopping Experience: Build custom interactions with WC_Session, WC_Cart, and WC_Checkout
The WooCommerce Session / Cart / Checkout Primer
Quiz:
WC_Cart & Checkout Primer
The WC_Session Lifecycle
Quiz:
WC_Session Lifecycle
WC_Cart Fundamentals
Quiz:
Cart Fundamentals
WC_Checkout Fundamentals
Quiz:
Checkout Fundamentals
Use Case: A Shared Cart
Build with Blocks: Weaving Together WooCommerce and Gutenberg
A Primer to Gutenberg Development
Quiz:
Gutenberg Primer
Deep Dive into the Gutenberg Block Build Process
Quiz:
Gutenberg Deep Dive
Existing WooCommerce Blocks
Quiz:
Existing Gutenberg Blocks
Gutenberg Block Patterns
Quiz:
Gutenberg Block Patterns
Building a Custom WooCommerce Gutenberg Block
Quiz:
Building a Custom Gutenberg Block
RSS
Facebook
Twitter
LinkedIn
Share

WooCommerce REST API and Webhook Security

Overview

Creating the REST API and Webhooks links in a WooCommerce Store exposes controls and information, inherently raising security concerns.

Fortunately, each API is built with security in mind. By understanding how they work, and following some basic best practices, you can ensure that your store stays secure, even as you enhance and expand its connections to third party services.

If you prefer, you can jump to the Knowledge check to see what you already know

REST API: Main Considerations

When utilizing the REST API, you should carefully consider that you are providing an “alternate login” for that external applications and websites can use for interacting with your data. This leads to the following considerations:

  • Setting up and protecting your API key and secret for Authentication
  • Determining the method by which your external application will connect to your siteThis is a question of HTTP vs HTTPS. Unless there’s a strong reason not to default to HTTPS
  • Identifying which user login will be used for a given APIOptimally, you can assign the specific end user’s account to each API–but this isn’t always feasible
  • Setting the Read, Write, Read/Write permissions on your site

REST API: Keys and Secrets

The consumer key and consumer secretNaturally, your should save and protect this information. The WooCommerce documentation is even so squirrely as to obfuscate their demo example! are the primary method of user authentication for the WooCommerce REST API.

The consumer key should be thought of as a “user name” that identifies the REST API.

The consumer secret does double duty. It is both a password, in the case of Basic Auth, and as a hashing key, in the case of HMAC Auth.

Key/Secret Database Description

The consumer_key and consumer_secret are both stored in the woocommerce_api_keys table.

The consumer_key is stored as a sha256 hashed version of itselfThe “secure hash alogorythm” is a one-way compression function. Meaning it can’t be “decrypted” by mere mortals, using ‘wc-api’ as its hashing key. For easy reference, the un-hashed, last 7 characters of the key are stored in the truncated_key field.

The consumer_secret is stored in its raw formSince this is used for the HAMC signature hashing, WooCommerce needs to know its true value.

REST API: SSL vs non-SSL

WooCommerce decides which authorization method to use based on the type of connection the client makes. Using the WordPress is_ssl() function.

If is_ssl() returns true:

WooCommerce will attempt a Basic AuthenticationNote that you are placing a lot of trust in your SSL connection if you use this method. It’s a trustworthy protocol–but you should know what you’re doing. where is uses either:

$_GET[‘consumer_key’] & $_GET[‘consumer_secret’]

or

$_SERVER[‘PHP_AUTH_USER’] &

$_SERVER[‘PHP_AUTH_PW’]

If is_ssl() returns false OR if Basic Authentication FailsNote that you can ALWAYS use this method if you choose, and then you’ll never transmit your secret in a readable format:

WooCommerce will perform a one-legged oAuth authentication. In this authentication, an HMAC signature is created by hashing each parameter in the body with the secret, to create a unique signature for each request, that is validated by WooCommerce.

REST API: User Permissions

Each Rest API key/ secret pair is assigned to a specific user. By assigning users with the lowest level WP role necessary, you can rely on WooCommerce to automatically limit the access As we’ll see later the limits are quite substantial, and often need to be opened up a bit of any given REST API login, and minimize security risks.

REST API: Read, Write, Read/Write

Read permissionse.g. for an app that can only read your catalog can only get entries from the WooCommerce system. Write permissionse.g. For an app that can only update inventory can only add/update entries.

Specific parameters are only available to APIs with Read or Write permissions. The permissions of each API parameter can be found in the REST API Docs.

If you want to give an API access to everything that a particular user has access to, use Read/Write.

Webhooks: Main Considerations

Webhooks have the advantage of pushing information out, rather than responding to external calls. However, they still evaluate responses and still have the potential to expose sensitive information. When using WooCommerce Webhooks:

  • Use HTTPS connections, wherever possible
  • Carefully assess the information you want to transmit
  • Use 1-legged oAuth authenticationSame HMAC hashing protocol as the REST API on your receiving server to validate the web hook in your external system
  • Note: wp_safe_remote_request() is used and prevents redirection.
  • Filter response variables in functions hooked to ‘woocommerce_webhook_delivery’checkout class-wc-webhook.php for the full details

Conclusion

That wraps up our discussion on REST API and Webhook security. While it can be nerve wracking to expose portions of your site to external apps and actors, there is a strong security backbone in WooCommerce and WordPress to secure your site.

In the next topic, we’ll discuss the larger code architecture behind the REST API and Webhooks.

But first, check your knowledge.

Knowledge Check

Hint: You can do a word search on the slides in the topic at any time, using CRTL+Shift+F while you work on the questions 😉

References

×

Keyboard shortcuts

CTRL+Shift+F Search slideshow
F Fullscreen view
CTRL+Click Zoom in
Esc Topic overview
Right arrow,
Down arrow Next slide
Left arrow,
Up arrow Previous slide

Color codes

Tooltip
Hover over text more additional info
Link to an external resource
Link to an internal slide
If buttons aren't working, click in the screen to "focus" your browser
RSS
Facebook
Twitter
LinkedIn
Share