Demandware (Salesforce Commerce Cloud) Controller Authentication

Question

I am creating a custom controller for an SFCC Commerce Cloud (Demandware) store.

Because I need to have communication with Third-party systems, I created a custom REST API controller to be able to receive some data inside the SFCC.

I created a rest controller in order to receive information by POST. How can I provide an authentication mechanism for my controller?

The OCAPI provides resources that come protected by default and you can use OAuth for the authentication, but custom controllers are unprotected and I was wondering how to add OAuth or another authentication mechanism.

My controller:

server.post('Test', server.middleware.https, function (req, res, next) {
    
    //Some logic that should be protected...
}

score 0 · Answer 1 · answered Jul 13 '21 at 12:32

0

You could use an encrypted parameter on request and add logic to decrypt on your controller.

answered Jul 13 '21 at 12:32

cosmin pugna

1
3

score 0 · Answer 2 · answered Jul 19 '21 at 05:55

You could use Private Keys and Certificates to authenticate the Request. If the request always comes from a particular Domain you can add the certificate. Or add a Public and Private key pair.

 server.post('InboundHookRequest', server.middleware.https, function (req, res, next) {
    var payload = null,
        requestStored = false;
    if (verifySignature(req) === true) {
        try {
            payload = JSON.parse(req.body);
            // Do the logic here 
        } catch (e) {
            Logger.error(e);
        }
        if (requestStored === true) {
            okResponse(res);
            return next();
        }
    }
    notOkResponse(res);
    return next();
});

Then Verify the same in

function verifySignature(req) {
    var signature,
        algoSupported,
        result;
        signature = new Signature();
        algoSupported = signature.isDigestAlgorithmSupported("SHA256withRSA"); // or other algo
        if (algoSupported === true) {
            try {
                var certRef = new CertificateRef(WEBHOOK_CONFIG.CERT_NAME);
                result = signature.verifySignature("YOURINCOMINGREQHEADER", content, certRef, "SHA256withRSA");;
                if (result === true) {
                    return true;
                }
            } catch (e) {
                Logger.error(e); // Certificate doesn't exist or verification issue
            }
        }
    }
    return false;
}

Signature : https://documentation.b2c.commercecloud.salesforce.com/DOC2/topic/com.demandware.dochelp/DWAPI/scriptapi/html/api/class_dw_crypto_Signature.html?resultof=%22%53%69%67%6e%61%74%75%72%65%22%20%22%73%69%67%6e%61%74%75%72%22%20 Certificates and Private Keys: https://documentation.b2c.commercecloud.salesforce.com/DOC2/topic/com.demandware.dochelp/content/b2c_commerce/topics/b2c_security_best_practices/b2c_certificates_and_private_keys.html?resultof=%22%70%72%69%76%61%74%65%22%20%22%70%72%69%76%61%74%22%20%22%6b%65%79%73%22%20%22%6b%65%69%22%20

More on Web Service Security : https://documentation.b2c.commercecloud.salesforce.com/DOC2/topic/com.demandware.dochelp/content/b2c_commerce/topics/web_services/b2c_webservice_security.html?resultof=%22%70%72%69%76%61%74%65%22%20%22%70%72%69%76%61%74%22%20%22%6b%65%79%73%22%20%22%6b%65%69%22%20

Thank you Ameen for your response, it was exactly what I did. — Jason C, Jul 21 '21 at 03:04

Demandware (Salesforce Commerce Cloud) Controller Authentication

2 Answers2