Webservice used with Javascript for user cart and order

[AdrienC]

Hello everyone,

I'm facing a security issue while working on a client's project.

 

We are doing a fully custom theme with product selection in javascript.

When the user has finish choosing, we want to create a cart for the current user, then an order for that user.

 

But for what i can find, there is no user identification thrue the webservice and instead i see we should do a customer search with email addresse and encrypted password.

This has several secutiry issues :

- Since our API key is on the front-end, if we open sur customer endpoint, someone could see every customers informations

- For the same reason, someone could see all the carts and all the orders

- Since with the customer search we get a user id, when we'll want to add a cart or an order, we'll have to pass that user id. So, anyone could create an order with the user id they want, for instance creating a wrongly paid order for someone.

 

To avoid that, i would like to use some kind of joker user_id, something like "customer_id: currentLoggedInUser" for every sensible request (customers, cart, order).

Or maybe their is an other way ?

 

Thanks,

Adrien