Api Authentication For Customers?

Hi There,

We are trying to allow customers to delete their accounts via API. I know API is typically set up for admin privileges. Is there a way to authenticate customers for specific purposes so that they are able to delete their accounts?

Thank you.

Hello!

You can enable the API for your customers, by setting the value of api_allow_customer tweak to true:

$config['tweaks']['api_allow_customer'] = true;

in the config.local.php file or in its override, local_conf.php.

Then your customers can receive the token by sending POST request with login and password to the auth_tokens API entity. For example:

<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => “http://localhost/api/auth_tokens/”,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => “”,
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => “POST”,
CURLOPT_POSTFIELDS => ‘{“email”: “customer@example.com”,“password”: “customer”}’,
CURLOPT_HTTPHEADER => [
“Content-Type: application/json”
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo “cURL Error #:” . $err;
} else {
echo $response;
}

The received token later can be used for authentication. Instead of usage of pair email and API-key in the basic auth, you will be able to simply send the token in the User field of basic auth.

As for the deleting the the customer account by his/her own request, you will need to create separate API entity that will make possible to make such an action.

Hope it helps.

Thanks very much for the response. I’m still getting an unauthorized error even after following the above steps. We are doing:

  1. Enabled API for customers by changing api_allow_customer to true in config
  2. Still getting unauthorized error when sending a POST request, calling the login API gets a token
  3. We GET a token, when we try to use that token to submit a request, it’s giving an unauthorized error

Are we missing anything from the above?

Thank you.

Hi!

Please check if your server does not truncate the $_SERVER[' PHP_AUTH_USER'] variable.

Allowing customers to delete their accounts via an API is a common use case, and it can be done while ensuring security and authentication. To enable customers to delete their accounts through an API, you should follow these general steps:

  1. Implement user authentication to ensure that only the account owner can delete their account.
  2. Use standard authentication methods such as OAuth 2.0, API keys, or token-based authentication to identify and authorize the user.
  3. You can require the user to authenticate themselves by providing their username and password or an access token.
  4. Ensure that you have a mechanism in place to confirm that the user intends to delete their account. This could be a confirmation step, like a confirmation email or a two-factor authentication (2FA) token.
  5. Create a dedicated API endpoint for account deletion, e.g., DELETE /api/users/{user_id}.
  6. Validate the request to ensure it’s coming from the authenticated user.
  7. Check the user’s permissions and ensure that they have the necessary privileges to delete their account.
  8. When the request is validated and authorized, proceed with the account deletion.
  9. Handle any cascading effects of account deletion, such as deleting associated data, revoking access tokens, or cleaning up resources.