I am a Spring Developer trying to figure out how to connect a WordPress WooCommerce Website to my REST Spring boot Service. I haven't worked with WordPress, so there are a lot of unknown unknowns for me there. I am in collaboration with another developer on the WordPress side of things, trying to solve this issue, but we are a little lost.
Are there Best Practices for a WordPress website to access the Spring boot Oauth2 API (including JWT Token delivery Service) ?
CONCRETE DESCRIPTION OF MY SITUATION:
State right now (working):
Someone orders a Product on the WooCommerce website and the order status is set to processing.
The goal:
WordPress WooCommerce Backend calls the Spring boot API to send how many Products were ordered.
WHAT WE FOUND OUT AND WHAT WE TRIED:
Spring boot:
We found out that Spring boot outh2 is the way to go for the REST API ENDPOINT
The only resource I found about this are this once, which are very good and sufficient:
https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
https://www.youtube.com/watch?v=X80nJ5T7YpE
WordPress:
The Problem is, that we find a lot on WordPress Webhooks but not a lot on how to call an API Endpoint with a Token system.
Here are some resources we worked through, which are not sufficient:
https://developer.wordpress.org/plugins/http-api/
https://woocommerce.github.io/woocommerce-rest-api-docs/v3.html?shell#webhooks
https://duckduckgo.com/?q=wordpress+oauth2+rest+call&t=bravened&ia=web
WHAT WE THINK TO KNOW ABOUT THE SERVER TO SERVER COMMUNICATION IN THIS CASE** (Handshake):
In WordPress, I manually safely store a Username and a Password which
Spring Security knows about, on WordPress.
WordPress, an order has been finished.
WordPress calls Spring boot Https Request to /api with Payload:
OrderInformation, Password and Username.
Spring sees that there is no Token or the Token is outdated
Spring searches the Request Payload for Username and Password
Spring generates a signed JWT Token based on Username and Password.
WordPress receives that Token and stores is safely
WordPress HTTPS Request /api with Payload: OrderInformation, Token.
Spring validates the Token, accepts the OrderInformation
Spring does what ever it needs to do with the information and when
everything works out
Spring Oauth2 somehow has to tell Woocomerce that the information
was successfully delivered. Otherwise Woocomerce has to resend the
information. And start form point
WHAT WE HOPE THIS POST SHOULD ACCOMPLISH FOR PEOPLE WITH THE SAME QUESTION:
If someone knows any resource or best practices how to configure WordPress WooCommerce, please let us, who have a lot of unknown unknowns, know what to do next.
We hope this post and its answers can be a gateway and vertex for other people to find the information they need.
Thank you very much in advance
I am not sure about Spring Boot API specifically, but I have done this type of integration with other REST API's.
I would recommend using wordpress action hook. The hook that I would recommend you to use is woocommerce_order_status_changed.
// define the woocommerce_order_status_changed callback
function action_woocommerce_order_status_changed( $this_get_id, $this_status_transition_from, $this_status_transition_to, $instance ) {
// make action magic happen here...
};
// add the action
add_action( 'woocommerce_order_status_changed', 'action_woocommerce_order_status_changed', 10, 4 );
At the place of // make action magic happen here... write the logic where you contact with your API. Run your code when $this_status_transition_to is processing. The $instance should have woocommerce order instance which you can use to push to API.
Some pointers that I would like to give are.
Save the API Token/Credentials in an Enviroment Variable for security.
Would recommend using Guzzle package to make http request. Use composer to install the package.
Related
I'm very new in Spring and never really used java for making web. And I'm making a web with a separated frontend and backend services and I'm trying to make an authentication system using Spring Boot Security. How can I do it? Do I put the security on both the service or just one of them? What's the best way to implement it?
The question is subjective and can have too many interpretations based on context. My understanding is that putting security on both front-end and backend is the best way to implement. After a successful backend authentication you should issue a unique cookie to the browser as it allows users to continue using a site without having to log in to every single page. For each subsequent call, the website recognizes the user from cookie data.
You can use this link for a better understanding of dual authentication mechanism.
I'm building a Angular 6 front-end and Spring boot based REST api. Angular app is going to be hosted separately behind a nginx. I want to implement spring security in order to secure REST apis. As per my understanding I need to two following things.
Spring security to authenticate API calls for valid tokens and respond 403 if not
Angular library in order to redirect user to google login and maintain access/refresh tokens, pass access token for api calls in headers and refresh access token if backend respond with 403.
I'm not quite sure whether the authenticate request go via spring backend or directly to google.
I have been searching for a good tutorial for sometime but didn't find one matching my requirement( most are html pages hosted within spring ). So please correct if my understanding on how to do this is wrong and share if there are tutorials.
Check this article. This might be the article which help to you.
Moreover let me know if it worked.
I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.
I'm trying to implement an online application (single page) with angularjs in forntpage and wordpress + woocommerce plugin in backend.
For this purpose I'm installed WP RESTful API and activated woocommerce self api. and using angularjs resource for ajax calls with server.
The woocommerce API is protected by oAuth 1.0a protocol.
As I figured out in this answer, the right way to request a protected API is just server side calls. So I created a new file in my server named "ApiCall.php" and wrote the whole secure communication stuffs in that.
Now my requests first send to "ApiCall.php" then the server communicate with woocommerce API (which is in the same server!) and the response will redirect to my angular code!
After all , now I'm confusing with this flow and security. When someone can request to woocommerce API, so he can request to "ApiCall.php" too! then the same security calculations will proceed for that person and result will returned to him!
On the other side, WP RESTful API have no security contraptions, and data are available with direct ajax calls.
I'm looking the best approach for this type of communications which a single page application want to get and set data to its backend.
I'm developing a REST JSON API with the Spring MVC Framework. I want to serve a single HTML application to the user and the whole communication between server and client is done with JSON format. So the client single HTML application uses jQuery to send AJAX calls to the server.
My big problem is to find the right way to do integrate a proper security technique. I read a lot about basic, digest or form based authentication via Spring Security, but I don't think this is the right way. I want to get JSON responses if the user isn't logged in and I don't want to send a jsessionid with each request.
Could you please tell me the right way or the best-practice how to authenticate user by performing AJAX requests? Maybe it's OAuth 2-legged? (don't have much clue of OAuth)
If you don't want to store auth information in server-side session (and use JSESSIONID in cookies/urls) you may send auth info with every ajax request using BASIC auth header (created in JS).
I've never used 2-legged oauth, so I won't comment about it.
edit: typo