Security for your website

hi everyone.

  1. Customer key & secret with READ permission is enough.

Since Oreo Fashion v1.3.4 and all Lekima versions the app only need READ permission to working.

=> This way ensure that if anyone get your customer key & secret can’t write data to your store.


That key important too, Its like password you can type anything. But don’t leave default. Because we using that key to encode token for user login on app. If you don’t set up it. Some one unrdesutand the way we encode and decode token. Them can gen a token with your admin permission and login to your site.

  1. If anyone need your info please provider CUSTOMER KEY & SECRET with READ permission. If you provider admin/password ensure you backup the site.

If anymore problem I will note here.

Thank for all.

Storing ck_ and cs_ in app code is still bad practice. I was able to customize my setup to ensure full security by:

  • Make user auth a must.
  • Make an endpoint that verify every request from app. Store ck_ and cs_ in that endpoint.
  • Make ALL app requests go through the verify endpoint only.
  • Verify and current user is determined by user token.
  • Restrict all requests from/to that endpoint to current user only. (so he can only view his orders)
  • Restrict GET POST PUT methods based on each endpoint of mobile-builder and wc or any other API used by app.

Pros of above method:

  • You can use read/write to WC API keys.
  • You can change API keys anytime (is stored in sever and not in app code)
  • You can monitor and restrict all accesses to app.


  • You need to make login mandatory.
  • It may cause load on server, because it will make server make requests to itself.

Note: The above is just a suggestion to rnlab team. Maybe it won’t work for everyone needs.

How were you able to modify the code to stop storing the ck_ and cs_ in the app?

I modified react native code and rnlab plugin to make this work. Is not so simple.

@woogeek your way get cs_ and ck_ easy that store in source code.

Your way user login and get cs_ and ck_ ?


ck_ and cs_ is stored inside the verification endpoint.

See below example code of how it works.

if (!defined('ABSPATH')) {

if (!class_exists('RN_Custom_Endpoint_rnapp')) {

    class RN_Custom_Endpoint_rnapp {

        private $cs;
        private $ck;

        public function __construct() {
            $this->cs = "cs_";
            $this->ck = "ck_";
            add_action('rest_api_init', array($this, 'register_endpoint_route'));

        public function register_endpoint_route() {
            $namespace = "rn-rest-api/v1";
            register_rest_route($namespace, 'verification', array(
                'methods' => 'POST',
                'callback' => array($this, 'verification_callback'),

        public function verification_callback($request) {
            //perform functionality
            $rnapp = new Rnapp_App_Control_Public(RNAPP_PLUGIN_NAME, RNAPP_APP_CONTROL_VERSION);
            $verify = $rnapp->decode();
            if (!is_wp_error($verify)) {
                $user_id = $verify->data->user_id;
                //check is user id exists in db
                $user = get_user_by('id', $user_id);
                if ($user) {
                    //get parameters from request data
                    $post_verification_url = $request->get_param('post_verification_url');
                    if ($post_verification_url == '' || (0 === stripos($post_verification_url, '/wc/v3/products/reviews'))) {
                        $error = new WP_Error();
                        $error->add(403, "Post Verification URL missing in the request/Post Verification URL endpoint not found", array('status' => 400));
                        return $error;
                    $post_verification_method = strtoupper($request->get_param('post_verification_method'));
                    if ($post_verification_method == '') {
                        $error = new WP_Error();
                        $error->add(403, "Post Verification Method is missing in the request", array('status' => 400));
                        return $error;
                    $get_rest_url = get_rest_url(null, $post_verification_url);
                    $args = array(
                        'headers' => array(
                            'Authorization' => 'Basic ' . base64_encode($this->ck . ':' . $this->cs),
                            'Content-Type' => 'application/json',
                        'method' => $post_verification_method,

                    if ($post_verification_method == 'POST') {
                        $post_verification_data = $request->get_param('post_verification_data');

                        if ($post_verification_data == '') {
                            $error = new WP_Error();
                            $error->add(403, "Request cannot be posted with empty data", array('status' => 400));
                            return $error;
                        $args['body'] = $post_verification_data;
                    $response = wp_remote_request($get_rest_url, $args);
                    if (is_wp_error($response)) {
                        $error_message = $response->get_error_message();
                        $error = new WP_Error();
                        $error->add(403, $error_message, array('status' => 400));
                        return $error;
                    } else {
                        return json_decode(wp_remote_retrieve_body($response));
                } else {
                    $error = new WP_Error();
                    $error->add(403, 'Sorry user data not found in database', array('status' => 400));
                    return $error;
            } else {
                $error = new WP_Error();
                $error->add(403, "Unable to Verify Token", array('status' => 400));
                return $error;


    new RN_Custom_Endpoint_RNAPP();