I have my own collection table which I created containing various customer information including how many “credits” a customer has paid for (shame Wix does not offer a credits based shopping solution) and also the Member’s API key for sending me automated requests for services.
This table is accessed by Members only and their email is the key used to retrieve data to web pages e.g. how many credits they have.
My concerns are:
Can a fraudulent Member simply send another members email address to the back end (by knowing another member’s email address and manipulating the javascript code sent form their browser).
I guess I could do a backend check to make sure the email address received from the front end matches the logged in current user email address as a work around?
Can I store customer data in a more secure location e.g. Wix own collection for Members details and add my own custom fields or are those read only?
I am aware of Secrets Manager which I tried to use to store the Members API keys but it is Admin only access which means I have to manually add API keys to be store and I prefer Members to be able to use the website 24/7 automatically . Maybe I can use suppress auth with Secrets so Members can write and retrieve their own API key?
All help is welcome. I am not too keen and on having to do major code rewrites or database re designs if possible.
Rather than passing the member’s email to retrieve credit information, you can create a function that has no parameters and checks for the currently logged in user within the backend function itself.
Example (Backend Function using getMember() from Wix Members Backend API)
import { currentMember } from 'wix-members-backend';
export function getMemberCreditInfo() {
return currentMember.getMember(options)
.then((member) => {
const memberId = member._id;
// Handle retrieving necessary information from collections to return data to the frontend
})
.catch((error) => {
console.error(error);
})
}
Question 2
As long as the Data Collection permissions are set properly, and your functions for accessing the data are written securely, storing your user generated api keys can be securely done inside of a collection you created.
However, it is also possible to create private Custom Member Fields and access them via the Wix Members API.
Question 3
Wix Secrets Manager is intended for your application’s authorization keys. Storing user generated keys for access to your service can be done within the data collections as long as they are accessed and stored securely.
Keep in mind, as I am without specific details about your implementation, there may be additional steps required to ensure your code is written securely.