Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Cart OCC url

Former Member

on ‎2018 Sep 27 11:03 PM

0 Likes
774

Hello,

I am using the below url to get the cart information for anonymous user using guid that is generated in the browser.

https://localhost:9002/rest/v2/electronics/users/anonymous/carts/b4e128c0-6c4b-449a-8c9b-ea80a9bb711...

If I try to access the above url in another machine able to get the cart information.

Some one can hack the url and can get the cart information in the above case. How do I make sure the above url will work only for that user not for any one else?

Also same thing for cart url also..

https://localhost:9002/rest/v2/electronics/users/abcd@abcd.com/carts/00004000

The above url need the email address of user and cart id to get the cart information. How do I protect the username and cart id so that no one else can access the cart information using the above url.

The above url required token which will be generated using the below url https://localhost:9002/authorizationserver/oauth/token

Again to get the token using the above url you need to pass client id and secret id (which is basically username and pwd).

How to protect the OCC urls to work only for that user not for any one else if some one hacked and trying the url.

Any help would be appreciated.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎2018 Sep 28 12:35 AM
0 Likes

Thanks for your quick response Avinash. Please see the attachment..

(1) I created a token using postman and used that token with the below url from 2 pc's

https://localhost:9002/rest/v2/electronics/users/abcd@abcd.com/carts/00004000

I am able to get the cart information from both pc's. Which means some one can hack the token id , username and cart id that is passed part of the url right?

(2) The below url used to get the cart info using guid for anonymous user.. This url tried from 2 diff pc's and able to get the cart information

https://localhost:9002/rest/v2/electronics/users/anonymous/carts/b4e128c0-6c4b-449a-8c9b-ea80a9bb711...

Am I missing some thing here? I was expecting it should return any data if I try from anohter pc because the OCC call should not be valid

Thanks in advance

[1]: /storage/temp/11494-token-generation.png

Show replies
Show replies
mpern
Product and Topic Expert
Product and Topic Expert
‎2018 Sep 28 10:17 AM
0 Likes

If you have a valid token, you can access the resource, regardless of where the request is coming from. That's how OAuth2 is supposed to work! The token is the secret that needs to be guarded, not the URL.

The anonymous user is a special case, here you can access the cs long as you know the GUID, because otherwise you would have to login before you can add anything to a cart. And since the anonymous user is, well, anonymous, you don't have any secret information you need to guard.

Former Member
‎2018 Sep 27 11:47 PM
0 Likes

HI, To get oAuth, you will send the details in POST method which is secure, so nothing to worry about loosing your identity. And to get cart information via OCC V2, you need authorization in header, which can be trusted_client or Customer or Customer_manager. This will be assigned based on what attributes you used in fetching oAuth token and OCC is session less protocol, once it serves the response it will kill the session.

Show replies
Show replies
mpern
Product and Topic Expert
Product and Topic Expert
‎2018 Sep 28 10:25 AM
0 Likes

To add to that: If you use a regular, non-trusted client, run a password or authorization code OAuth2 flow where the customer logs in with his credentials. This produces a token that's only valid for this specific customer.

Ask a Question