Security on REST API Keys

  • Resolved Vijay Hardaha

    (@vijayhardaha)


    2 years, 12 months ago

    Hello there,
    I have a very simple question, maybe I am missing something. If Yes, then please let me know what I am missing.

    So let’s start.

    – Suppose I build a theme/plugin that I wanna sell on my WooCommerce store and manage license.
    – In order to manage licenses I installed your License Manager plugin, and set up a Generator, and Linked to my themes and plugins products that I sell on the store.
    – Now, a customer came to my website and ordered the product.
    – After successful payment, he got the theme/plugin zip file that I sell and he also got the license through your License Manager plugin as I set up the generators.

    – Now, the customer goes to his website and install my theme\plugin where I added a form to enter the license key to activate/deactivate the license.
    – Of course, I will have to some code in my theme and plugin that will help me license check, activation, deactivation through my website where I manage all the themes\plugins that I sell.
    – Now, as described in your documentation that REST API requires client and secret keys in order to use the REST API, which I can generate and save somewhere as they won’t be shown again.
    – Now I generated the REST API Keys and saved them.
    – Now I will have to save those keys in my plugin and themes somewhere because I have to make a REST API call using those keys from the theme\plugin I just sold.

    – So now, I put those keys in my plugins\themes file, Now all good.

    Now, since my client and secret keys are in the plugin file, so anyone can see those keys from the file. then they can make any kind of REST API call.

    For example:
    /wp-json/lmfwc/v2/licenses from this they got all the licenses data I have on my website.

    And since I have to activate license from REST API which is a PUT request that must have write permission in REST API keys so it means, I am giving full control of my website to the whole world if my sold product got distributed in the nulled market or if not someone who bought finds the keys in the file he can easily do anything using those keys.

    Now please let me know if I am missing anything in this whole process, or you’re plugins can’t allow me to sell themes\plugins or anything related to code things as for license status, activation, and deactivation I will have to give the buyer REST API keys that open all the gates for him?

    Thanks

Viewing 9 replies - 1 through 9 (of 9 total)

  • Hi @vijayhardaha

    You can make a call back function on your own site where the key is generated and in that function you can specify the secret key and consumer key and from that function you can make rest api calls so now the secret key and consumer key is saved within your own server not implementing it in theme or plugin. This way you can do your task.

    Thanks

    • This reply was modified 2 years, 11 months ago by A.Tariq.
    Thread Starter Vijay Hardaha

    (@vijayhardaha)

    Hey

    @arsalantariq thanks for your reply.
    I am not if I am getting about the callback function things, I haven’t read the plugin code. So I am not sure if you’re telling me to register a new rest API endpoint or telling me to hook a filter in one of your plugin functions.

    Even though I don’t understand the callback function part. so here is another query if the callback function thing you’re talking about will automatically pass the secret and key in your register REST API endpoints and I don’t need to give/add those keys to anyone but in that way isn’t my website endpoints are no longer secure/private?

    It will be nice if you can give a small code example about the callback thing you’re talking about so that I could understand the solution you’re suggesting.

    @vijayhardaha let me look into this and get back to you shortly.

    Thread Starter Vijay Hardaha

    (@vijayhardaha)

    @arsalantariq OK Thanks, I will wait for your response.

    Hi @vijayhardaha

    If you don’t want your API to be public, then you need to uncheck GET Api Route in settings .. see below in link:

    https://www.awesomescreenshot.com/image/18165073?key=fa0fc6672de78a1e8ae113f4e654b181

    you can test this using test API and let us know it’s working fine or not.

    thanks

    Thread Starter Vijay Hardaha

    (@vijayhardaha)

    Hey @arsalantariq
    Thanks for replying back.

    The solution you’re proposing, I have tried that before. it somehow works for my condition. but it doesn’t seem to be the ideal solution. since others want to use other routes as well for other work. do disable them isn’t good for everyone.

    Also if the disabling route per key pair will be available then it will be a great advantage for everyone.

    @vijayhardaha I will discuss this with my technical team and will release any solution in an upcoming release.

    Anonymous User 18563845

    (@anonymized-18563845)

    I thought there was a php example here, am i right ?

    @mvsup we are working on these things and will let you know soon.

    thanks

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Security on REST API Keys’ is closed to new replies.