REST API Auto Generated For Users

  • Resolved Anonymous User 16282999

    (@anonymized-16282999)


    3 years, 6 months ago

    Hi,

    I was wondering if it’s possible for an API key to get automatically generated when a license key is created and display the API key to the user. That way everyone has their own unique API key which is tied to their user account. Also, are there any rate-limiting settings that I could configure to prevent a user from making excessive requests to the license server?

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hello @marcwoodyard

    thank you for your message and for using my plugin.

    Sure it would be possible, but I would probably need to add some hooks and functions which would allow you to do what you have suggested. In the current plugin state, it’s not possible without modifying the plugin code itself.

    However I’m not sure what problem you’re trying to solve by giving each customer their own API key?

    My plugin does not support rate limiting, I’m not sure if this will be handled by my plugin at all since it seems a bit out of scope. There are possibly other plugins which will allow you to do this, or a WordPress filter which can be used?

    Thread Starter Anonymous User 16282999

    (@anonymized-16282999)

    Hi @drazenbebic,

    By providing each user with their own API key, I wouldn’t have to hard code the API keys in software. If for some reason the API keys had to be regenerated, I would have to recompile the software with the updated API keys.

    Also, it would provide a little bit of security by only allowing users who purchased a product access to the license server instead of having it respond to requests from anyone who connects to it.

    Additionally, if someone was trying to brute force license keys, it could rate-limit requests and block users who are abusing the system.

    Just a few questions…

    1. When generating API keys, I had to assign the keys to an admin user for it to work. Do the API keys require admin privileges on the site, or will another site role work like store manager?

    2. If the API keys are assigned to an admin user, can the keys be used to access other WordPress Rest API endpoints like managing pages or users?

    Hello @marcwoodyard

    That’s one way to look at it, but rate-limiting could also be implemented on the server, which would make more sense I would say. As for the API keys being compiled – I don’t see the problem here, as long as you keep them stored somewhere safely (KeePass comes to mind).

    To answer your questions:

    1. In the next plugin update I will add a low-level account role (Licensing agent) for REST API license manipulation only. Currently it HAS to be an administrator.

    2. Don’t worry, as those API keys are scoped to only be able to perform actions within the license manager plugin. They can’t be used for ANYTHING else.

    Thread Starter Anonymous User 16282999

    (@anonymized-16282999)

    That helps a lot, thanks for the info @drazenbebic!

    @marcwoodyard

    No problem. As I said, next update will feature a new low-level user role named “Licensing agent” which will only have permissions to use the REST API. You could even use a capability manager to add or remove capabilities for individual routes.

    Once that update is live, you can just change the role of the user whose API keys you have compiled into your application to “Licensing agent” and everything will keep working.

    Even though it’s a non-issue, I still think that people are more comfortable with using specialized roles who only can do what they are supposed to do.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘REST API Auto Generated For Users’ is closed to new replies.