I'm interested in WooCommerce as a headless e-commerce solution using its REST API but I have a couple architecture questions.
How are user permissions/authentication handled? As far as I can tell all WooCommerce API endpoints take a single consumer key which is authenticated by WooCommerce this is fine for application level permissions (i.e. limiting which applications can use the API) but I can't see a way to handle more fine-grained user level permissions.
Does the WooCommerce REST API expect user level permissions to be handled by the connecting application (which has it's own consumer secret stored on it's server) to stop things like users accessing other users orders etc or is there some plugin or something to handle this stuff?
It would be great if all I had to do was create a front-end in Vue.js and call the WooCommerce API directly without having to develop my own backend to handle user level permissions.
Thanks
Read https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication
As you can see, the simplest is manually creating consumer keys for selected users, and move them manually to your program, however there is also an option to automatically create consumer-key for logged in user through endpoint.
I.e. the permission is according to consumer-key user privileges , and key can be per auth-level or per user and you can create keys for each users through endpoint.
Also take a look here for how to login user through rest-API without requiring the user to first go to wordpress site and login. https://developers.wpengine.com/blog/headless-wordpress-authentication-native-cookies
You should be able to store the user woocomerce consumer-key as user-meta through wp rest-api, removing need to store it you own backend.