Hey there, I’m working on a React Node JS Web App right now, basically I’m planning to host this app on a subdomain to a Wordpress site with Woocommerce.
And the final plan is to give access to the Node JS app only for customers who paid for buying the subscription (one time payment) on my Woocommerce site.
I already saw that there is no straight support for Woocommerce migration. I do know that I can migrate WP MySQL database in order to migrate the users.
But that still leave me with 1 issue: How can i prevent people who didn’t purchase to sign up through Auth0? I thought about Email addresses whitelist but not sure how to approach and if that’s a good fit.
I’m also okay with passwordless access but it has to be only for the customers emails.
I also thought about disable the signup through auth0 widget >> migrate new users only from Wordpress database >> only login to the app through auth0.
Any suggestions for the best practice and solution for this one?
When an order is complete for your service, you could use a WooCommerce webhook to notify a third-party job queue service that the user should be given access to your API. Something I’ve seen before when working with AWS is setting up an API Gateway → SQS → Lambda integration so that the WooCommerce webhook calls the API gateway and then a job is queued in the SQS service which triggers the Lambda function that updates the user’s data in the other system.
There are probably simpler ways to handle this, but the idea is that the webhook would kick off a job that would be responsible for creating the user in Auth0. You’d likely want to use a queuing service like AWS’s SQS service so that you could monitor if anything ever went wrong with the integration.
Once you’ve decided how WooCommerce will send out the message that the user has completed their order, you could set up an invite-only flow for your application:
Auth0 Rule
Alternatively, another idea would be to call the WooCommerce REST API from within an Auth0 Rule to see if the user has purchased your service. If they have, then you can either assign a role to the user that gives them the permissions they need (ideal if you ever want a tiered service) or you can simply add a flag to the user’s app metadata. The rule would throw an authorization error if the user has not purchased your service.