wp-calypso
wp-calypso copied to clipboard
Automattic
Marketplace: Product Licensing - Implement API authentication using API/Secret when calling get subscription information route
Summary
Implement Basic Auth using API/Secret keys issues to vendors for validating if requests are valid and we need to protect API routes like getting subscription information.
Related to pdh6GB-1dL-p2#comment-1951
The API that needs to be authenticated is created as part of https://github.com/Automattic/wp-calypso/issues/65347
Looks like this will require a new authentication method in rest-api-plugins/centralized/auth.php?
It looks like authentication methods for the WP REST API resolve to a user account. Will we create/associate a wpcom user account with every vendor?
Rather than adding a new authentication method to the API, could we generate an oauth client for each partner as they register? There is some prior art for Jetpack partners that we might take inspiration from? 2cf99-pb/#plain
It looks like authentication methods for the WP REST API resolve to a user account. Will we create/associate a wpcom user account with every vendor?
Yes, each vendor will have a WC.com account which uses wpcom accounts. Yes we could look into using the vendor account for auth, I am just wondering if decoupling the vendor account from the system that requests subscription details would make sense. For example, a vendor could change their password and forget to change the auth details in their systems. Changing their API key (regenerating it) though, would make it more explicit that auth details have changed (they invoked the change) and they should update their systems.