2

There are bunch of questions about this everywhere, but none of them are answered. WooCommerce doesn't have a support for Customer based authentication through username and password.

We can create API Keys to access data on woo commerce but its not restricted per user. Once you accessed to API, all customers' information becomes accessible. (Not related but also I'm using nativescript, so all consumer secret etc. is accessible if code is decompiled since its a javascript file. So I cannot use it.)

Someone tried to get his pull request accepted by WooCommerce, but apparently it's rejected. He created an endpoint to authenticate customers with username and password.

Link is here: https://github.com/woocommerce/woocommerce/pull/6133/commits/a4fe8267402358369a4805b1622ed09b49015b20

My question is how secure is this if I use HTTPS while accessing to the API?

Can it be exploited with a DDOS attack to find passwords etc.? Should i add an extra code something like sleep(1000) (not the smartest way probably) to make authentication slower, so passwords cannot be cracked with iteration.

What is the best, secure and easy way to authenticate customers to only their data?

Code is given below also:

/**
 * Login a customer
 *
 * @since 2.2
 * @param array $data
 * @return array
 */
public function login_customer( $data ) {

    // Checks the username.
    if ( ! isset( $data['username'] ) ) {
        return new WP_Error( 'woocommerce_api_missing_customer_username', sprintf( __( 'Missing parameter %s', 'woocommerce' ), 'username' ), array( 'status' => 400 ) );
    }

    // Checks the password.
    if ( ! isset( $data['password'] ) ) {
        return new WP_Error( 'woocommerce_api_missing_customer_password', sprintf( __( 'Missing parameter %s', 'woocommerce' ), 'password' ), array( 'status' => 400 ) );
    }

    // Attempts to login customer
    $credentials = array();
    $credentials['user_login'] = $data['username'];
    $credentials['user_password'] = $data['password'];
    $credentials['remember'] = true;
    $user = wp_signon( $credentials, false );

    // Checks for an error in the customer login.
    if ( is_wp_error( $user) ) {
        return new WP_Error( 'woocommerce_api_cannot_login_customer', $user->get_error_message(), array( 'status' => 400 ) );
    }

    do_action( 'woocommerce_api_login_customer', $user );

    $this->server->send_status( 201 );

    return $this->get_customer( $user->ID );
}
Dave Doga Oz
  • 1,076
  • 1
  • 9
  • 19
  • 1
    Possible duplicate of [How to authenticate existing customer via WooCommerce rest API](https://stackoverflow.com/questions/46022349/how-to-authenticate-existing-customer-via-woocommerce-rest-api) – lofidevops Sep 06 '17 at 11:01

0 Answers0