Using the API from frontend apps

  • Resolved mrthunderfield

    (@mrthunderfield)


    6 years ago

    Thanks for the plugin, it seems to do most of what we need! I have developed a frontend-only app for my client which should activate the generated license key through the API, but I notice that you require a secret to communicate with the API. I’m reluctant to include the secret in the frontend code, so it would be great to have a few routes that don’t require this level of security that frontend apps could use to activate or validate licenses.

    Does the key/secret pair give any additional access to WordPress or Woocommerce, other than the functions of this plugin? If not, I can disable the routes I don’t need and just include the secret in the frontend code.

    To be honest, this level of security seems a bit over the top and makes any other apps than server-side apps needlessly difficult to implement. I’d have to write a WordPress plugin that wraps the API and expose a custom API just to prevent the secret from leaking out, which seems counter-productive when I’m already using a plugin with an API. Even if I take the step of including the secret in the frontend code, I now need to maintain separate builds for local, dev and production sites since they each use a separate key/secret pair.

    I fully understand the need to protect sensitive routes that can modify the data, but the routes that just activates or validates a key should be usable from frontend or otherwise unsecure apps.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Christiaan van Luik

    (@cvl01)

    6 years ago

    I second this. Think this will be a very useful feature to make this plugin interesting for much more software vendors.

    For example, I’m a plugin developer. I sell the plugin as a woocommerce download product. After that they would need the license key to set up automatic updates.

    Many alternatives, like EDD software licenses or WooCommerce Software License Manager have this kind of functionality.

    If you would be able to add this functionality to the theme, I would be happy to create a plugin update checker for use with this plugin.

    dynamic22

    (@dynamic22)

    6 years ago

    +1 also wanted that its just need to check if it gives “”succes” true” or “false” when a license is valid or expired..

    now it always returns “Succes “true”” even if a key is expired, deactivated or any other state

    my program now check on the status: 1,2,3 but that only change when i manualy change the status so it wont change automatic when the license expire after time..

    Ive btw insert the key and secret in my frontend and disabled all routines exept get licence..

    Drazen Bebic

    (@drazenbebic)

    5 years, 11 months ago

    Hello @mrthunderfield, @cvl01, and @dynamic22

    To sum everything up, you would like the following additions/changes:

    1. open routes for license activation, deactivation, validation (no API key, secret, whatsoever).
    2. Error during license validation request if the license is not valid anymore.

    Please let me know if I’m correct on these assumptions.

    I’m thinking of making new v3 API routes which would implement this. For backwards compatibility I simply can’t change the existing v2 routes, but it’s been a while since I’ve added those and there have been some things I wanted to tweak and change, so a v3 API is very likely coming.

    dynamic22

    (@dynamic22)

    5 years, 11 months ago

    @drazenbebic correct

    Cos to validate/activate or deactivate u need to know the correct licence key noboddy else know that only the user that has it so if a url for example validate = website.com/validate/licencekey is better then website.com/validate/v2/licenekey-keyuser-keysecret-andrest 🙂

    And a change from status succes true to false would be nice so when my system checks up the code and its expired customers need to renew thier licence.

    Drazen Bebic

    (@drazenbebic)

    5 years, 10 months ago

    @dynamic22

    Cos to validate/activate or deactivate u need to know the correct licence key noboddy else know that only the user that has it so if a url for example validate = website.com/validate/licencekey is better then website.com/validate/v2/licenekey-keyuser-keysecret-andrest

    Yes, but what’s stopping someone from writing a script which will hammer your WordPress REST API with requests? This only makes sense if I also implement rate-limiting into the REST API. For example, if you made 5 unsuccessful activation requests in the last 10 minutes, then you’re locked out. Of course the number of requests and the time would be configurable.

    And a change from status succes true to false would be nice so when my system checks up the code and its expired customers need to renew thier licence.

    Changing the “success: true” to “success: false” would also require to change the response status code. Currently it’s sending 200 OK, instead I would send a 4xx or 5xx status code to make it clear that the validation did not succeed.

    Thread Starter mrthunderfield

    (@mrthunderfield)

    5 years, 10 months ago

    @drazenbebic

    Yes, exactly! I basically need routes that can be called from frontend code which can’t include secrets.

    I’ve been using the plugin now as it is, including the secret in the frontend code, and disabling routes that I don’t need. It’s been working great, but still feels wrong to include the secret in the frontend code.

    Drazen Bebic

    (@drazenbebic)

    5 years, 10 months ago

    @mrthunderfield

    Okay, it makes sense as long as there’s a rate limiting implemented.

    But just so you know, this will be part of the v3 API. I’m still collecting ideas for it so it’s probably going to take a while until it’s here.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Using the API from frontend apps’ is closed to new replies.