0

I am using REST API in Magento 2. For using in Guest user i want to create admin token so i have used CURL Request like this.

$ch = curl_init();
$userData = array("username" => "admin", "password" => "password");
$ch = curl_init("http://127.0.0.1/mag/rest/V1/integration/admin/token");
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($userData));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json", "Content- 
Lenght: " . strlen(json_encode($userData))));
$token = curl_exec($ch);

and $token is generated.

But I have a question regarding this that it it safe to use this in my Controller file if yes then it is good or not please suggest any other solution.

Token Generated from ADMIN

enter image description here

Any help is appriciated.

asked Mar 20, 2021 at 14:17

1 Answer 1

0

In my opinion, you shouldn't allocate an admin's privileges to a guest user or any customer user for that matter. There is a reason why guest users can access only specific resources. I don't think it would be a good idea to allow any user to perform any admin operations.

Instead you should limit yourself to what Magento allows guest users to do or create custom API endpoints if you really need something else, but I suggest you don't use an admin's credentials to allow a guest user to do stuff on your shop.

As per https://devdocs.magento.com/guides/v2.4/get-started/authentication/gs-authentication-token.html#admin-and-customer-access-tokens:

The Magento web API framework allows guest users to access resources that are configured with the permission level of anonymous. Guest users are users who the framework cannot authenticate through existing authentication mechanisms. As a guest user, you do not need to, but you can, specify a token in a web API call for a resource with anonymous permission.

LE:

  • Admins use a specific token obtained when calling /rest/v1/integration/admin/token (with admin username and password as payload) and a specific different endpoints available for them https://magento.redoc.ly/2.3.6-admin/
  • Customers have a different token than the admins and it is obtained by calling /rest/V1/integration/customer/token (with customer username and customer account password as payload) and have access to a specific subset of endpoints only https://magento.redoc.ly/2.3.6-customer/
  • Guest users don't need a token to be generated (and you can't generate one AFAIK since you don't have identification elements for a guest user on your shop) and have access to a limited subset of endpoints (those marked with anonymous in the webapi.xmls), list available here https://magento.redoc.ly/2.3.6-guest/

So basically, you can't generate an admin token for the customer or the guest users, they have access to resources which are not the admin ones. If you generate admin tokens and give them those tokens, then you no longer are using the subset of endpoints allocated to customers or guest users, you are using the admin endpoints and you basically 'are an admin' when you request them. So be careful with this.

answered Mar 22, 2021 at 7:36
5
  • Thanks for your response @diana As, i can see on using REST API it will required to generate token so how to generate that token if i doesn't use 127.0.0.1/mag/rest/V1/integration/admin/token that api to generate token. Or you mean to say i will used that backend generated access token. Commented Mar 22, 2021 at 8:19
  • What I wanted to say is that specific operations are not allowed for guest users. Guest users are allowed to access only specific resources- these ones magento.redoc.ly/2.3.6-guest the other operations are allowed only for customers which are registered and admins which you can retrieve tokens for. Commented Mar 22, 2021 at 9:09
  • Thanks for the response so, you mean to say that if any logged in user used REST API then it is OK to used that token but if any guest user comes in then i will not used that token i will used admin token which is provided in admin dashboard. Commented Mar 22, 2021 at 10:17
  • actually no. please check the update on my above answer. Commented Mar 22, 2021 at 11:48
  • Thanks for the nice explanation.Actually my scenario is different If i want to used if any Customers/Guest User click on any product it will be saved on database and then added to cart so is it safe to use that ADMIN generated Acess Token to achieve that or any other thoughts will you please share. Commented Mar 22, 2021 at 13:55

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.