[API] Restrict key usage to per device / app

  • fid

    (@fid)


    9 years, 9 months ago

    We want to be able to restrict the API usage per device and we are not able to find a solution for that. Right now, if we generate keys, those keys can be used in multiple instances of the app and we cannot keep track of how many devices are using a set of API keys.

    Note:
    We built CloudPOS for WooCommerce https://bitly.com/CloudPOSApp – an iOS based point of sale app that specifically works with WooCommerce only. It has tight integration of products, sales, reports, etc.

    https://wordpress.org/plugins/woocommerce/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor Mike Jolley

    (@mikejolley)

    9 years, 9 months ago

    AFAIK the API does not allow this. Keys can be used by anyone with access to said keys. You’d have to handle any usage/restrictions your side.

    Thread Starter fid

    (@fid)

    9 years, 9 months ago

    Thanks Mike.

    So I implemented the Authorization endpoint in the app as it makes it easy to get the keys. The first device I authorize they work fine, then when I do it again for the other device, I get new keys. Is there a way to allow key generation only once. Perhaps I could have a setting in functions.php that I can change to allow number of allowed key generations.

    Plugin Contributor Mike Jolley

    (@mikejolley)

    9 years, 9 months ago

    Possibly if you had access to the site, but if you’re offering an APP you’re not going to have that kind of access to user stores.

    Thread Starter fid

    (@fid)

    9 years, 9 months ago

    Yes, I’m actually experimenting with running (multisite) WooCommerce SaaS, so every one who signs up as a customer of our POS, gets their own Woo instance with our whitelabel branding. Others with self hosted stores who jump on the POS will need to install our own custom plugin that will enable some functionalities.

    Plugin Contributor Mike Jolley

    (@mikejolley)

    9 years, 9 months ago

    Then you could serve keys with a custom plugin, but be careful as these are unique for security reasons and shouldn’t affect your app.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘[API] Restrict key usage to per device / app’ is closed to new replies.

Tags