Add Customer Authentication Method


We need a customer authentication method. Basically the flow would be:
  1. Adds a private key. (NopRest currently already implements a public key)
  2. Make API request to NopRest using a HASH generated from Username+Password+PublicKey. Parameters sent from client to NopRest are: Username & HASH.
  3. NopRest also generate a HASH based on the same combination of Username+Password+PublicKey.
  4. NopRest compare HASH generated from [3] with HASH received from [2]. If authenticated (they should be the same), return a HASH generated from Username+Password+PrivateKey.
  5. Client upon receiving the HASH, generates a HASH from the same combination of Username+Password+PrivateKey.
  6. Client compares HASH generated from [5] with HASH received from [4]. If correct (they should be the same), the authentication is completed.
Points to ponder:
  1. Is this secured enough?
  2. Is this too many steps & does it involve too many steps? Are client verifications in [5] and [6] necessary?
Please comment. Whoever want to take on this task, please state so in your comments.


mellogrand wrote Sep 5, 2014 at 5:14 PM

I believe this has to do with the usage pattern of the Apis.
Extended security is needed if you plan a direct interaction from user browser with services.
In my case i prefer to have a MVC server side controller that uses the APIs via JSON and operates like a gateway/router versus the client browser.

my 5 cents.

wooncherk wrote Sep 5, 2014 at 5:35 PM

This is actually more for mobile users and external applications, i.e. API accessed from mobile apps and ERP / CRM apps. If it's within the same browser session like you've described, using cookie is enough, no need to re-authenticate. What do you think? :)

ratul_63 wrote Feb 17, 2015 at 6:24 PM

The authentication is required if anyone wish to create an mobile app (android or IOS) for his website. But the process described here is too complicated I think.

wooncherk wrote Feb 25, 2015 at 4:15 AM

Hi Ratul,

Any suggestion on simplifying the authentication process is welcomed! :)

comperiotech wrote May 7, 2015 at 6:05 PM

Why wouldn't it use built-in NOP authentication?

TGirgenti wrote Nov 4, 2016 at 2:19 PM


I'd like to work on this issue and I would like to get involved in maintaining this project.

I realize I don't know very much and I feel that I can learn something and contribute by attempting to add this feature to the nopRest project.

I have already made changes to allow this project to be used in nopCommerce 3.8. I also changed the appearance of the configure view to look more like the standard nopCommerce configuration screens.

If getting involved in a project such as this, seems to be beyond the limited knowledge that I possess, I will understand if my request is not honored.


wooncherk wrote Nov 16, 2016 at 4:20 AM

Hi Tony,

Thanks for your help! Can you make a PULL request? Then I'll incorporate your changes into the source code. :)