New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added endpoint for customer login #6133
Conversation
@rmccue out of curiosity, is this sort of endpoint something y'all have on the roadmap for WP API? |
1. Renamed method from Login to Authenticate 2. Changed wp_signon to wp_authenticate 3. Changed WP_Error return code to 401 (Unauthorized) 4. Removed hook and success status code
Thanks @maxrice for a code review. I've changed method name from login to authenticate and did some cleanup. Today I discovered a few other methods that I need but currently missing in API. They are related to payment processing. Looks like I'll need to create a custom plugin that will extend WC_API_Resource and implement additional endpoints that I need. In case you guys decide not to include authentication endpoint into the plugin, I can move it into my custom plugin as well. Didn't think about that before. |
No, and intentionally so. The only way to authenticate via the API is either cookies (that is, be logged in already) or OAuth. Exposing any way to convert username/password to an authentication token (whether that be this style, or XAuth, etc) encourages the "just input your username and password" antipattern. Encouraging users to input their username/password outside of the site itself means we're teaching users to be less careful about it, and I want to discourage that as much as possible. |
Thanks @rmccue, your point makes sense. In my case I'm building a mobile app that will serve as a front-end application for a WooCommerce store. And I need to implement a user account section there with the ability for a user to register, login and update personal information in the app. I'm not sure how else you can do that without the authentication endpoint. It doesn't look like an OAuth case here, at least to me. @maxrice, as I mentioned earlier I discovered a few other endpoints that are currently missing. They are payment related therefore it doesn't make sense to add them to the general WC API. Considering that I decided to move authentication endpoint to a custom plugin where other custom endpoints will live. Just did that and everything works great. Thanks a lot for At this point it doesn't matter much to me whether this is going to be merged into the plugin or not. I'm leaving it up to you guys to decide. |
@rmccue thanks, I figured you guys had already thought about it :) @artemkolotilkin It's probably best to add this to a custom plugin instead. At some point I'd like to have an OAuth2 flow so the user could authenticate without actually providing their username/password off-site, but it's a long ways off.
Glad to hear they helped! It'd be cool to see the finished plugin when you're done with it. |
Hi, I would like to revoke this issue because I think is important to have an authenticate endpoint for mobile apps. With the current version of Woocommerce API, anyone is able to get access to other accounts (using email endpoint) and make orders there and get all private informations like address, phone number, avatar image, etc. and this makes the email's endpoint insecure! |
Moved to roadmap for voting/discussion here: https://trello.com/c/LHU78CF2/50-rest-api-login-auth-user |
@artemkolotilkin have you ever made such a plugin? If so, are you willing to make it public? |
+1 to the @vnen question. I'm trying to create an app using this API, but I need a login for the customer. |
The logic to address feature request suggested in #6126.