Securing Critical Backend Functions: Is an MD5 Key Based on Password & Date the Best Approach?

Hello,

I’m looking for ways to secure access to certain backend functions (like refunds or adding credits) so that they can only be executed in specific contexts. My current idea is to generate a key during a particular event (such as a cancellation) to confirm the context, and then store this key in a secure database. I was thinking of using an MD5 hash based on a password, User Id and the date for this purpose. If this key is not present and correct, the critical action would not be executed.

Do you have other suggestions for implementing this? Have I overlooked any native Wix solutions that might address this use case?

Thank you in advance for your help!

Are these backend functions exposed to the public via HTTP Functions?

Web modules provide a built in way to make sure certain backend functions can only be called by admin level users.

You can also limit the use of these functions to backend event handlers, and verify the payload corresponds to a particular event type.

Hello,
I already use events to avoid exposing my critical functions as much as possible. However, the issue arises with functions tied to user requests, such as a credit refund request, where it’s the user triggering the action.

regards,