Open simplenotezy opened 4 years ago
Usually sensitive info are kept in environment variables, how to set these variables depends on where you deploy the code.
So your code might look like this: const options = { consumerKey: process.env.CONSUMER_KEY, ...etc }
I see. However if you want any calls on frontend which are not processed by server side rendering, then I'll guess you'll be exposing your secret key?
Sent with GitHawk
I'm not talking about repository source code, I'm taking about browser source code by the way
Sent with GitHawk
Browser-side source code is exposed to anyone who visit your website. You are hard to hide the key from those want to explore the code. The only things you can do is to limit the access right of the particular key pairs.
Browser-side source code is exposed to anyone whole visit your website. You are hard to hide the key from those want to explore the code. The only things you can do is to limit the access right of the particular key pairs.
@climba03003 is this seriously standard procedure?
Sent with GitHawk
If exposing the API Key Pairs is the only options in your scenario. Restricting the access right of the API Key is the only option. E.G.
Use middleware - setup a node.js server layer under the SPA that receives and proxies the API call, complete with key and secret. Or, setup a PHP proxy over the top of Woo that does the same, either way you need middleware. I thin use Auth0 on the front end to tokenize access to the middleware for sensitive data areas, and using jet on the node middleware can validate someone has signed in before completing an API call that writes data or does something sensitive on my woo database.
I am on the same page as @simplenotezy. At the same time I am struggling to understand if this library aims to support server side applications or client side.
It would have been really nice if it was possible to pass a jwt generated by wp to woo and be done with it.
That would make this lib really useful for frontend applications, no? I am thinking decoupled wp+woo on the backend and a separate frontend app which can place orders/checkout and provide basic customer operations through woo rest api.
The plugin is only a axios
wrapper class. Since axios
can run on both browser
and node
. This plugin can also achieve the same behavior.
You can make your own version of axios
wrapper for JWT as JWT is not the official way for Wordpress API connection.
Most likely there something I misunderstand, but how can it be safe to expose the consumer secret and key in the code? People could inspect source code and retrieve it, no? Or what am I missing here..