Securing a CMS Page

Use Commerce7 Login Widgets and Securing a CMS Page

Let's assume you want to secure a page on your WordPress or CraftCMS, but you would like to use the login forms, Facebook login, magic links, etc from Commerce7. (You could always use the APIs for all of this, but it's easier and more consistent with the rest of the site to use the widgets).

Overall Setup:

Create two pages - for now let's call them:

  1. /my-secure-page
  2. /my-login-page

Login Widget:

On the page called /my-login - embed the C7 javascript, C7 css and create a div tag.

<div id="c7-login-form" data-redirect-to="/my-secure-page"></div>

This will show the C7 login form, with the magic link, forgot password, etc. If a customer is already logged in the form will not show - instead it just redirects them to the link in the data-redirect-to.

CMS/Backend Programming:

You need to test to see if a customer exists, if they are logged in, and if they have permission to view the page.

Testing for a Customer
On your secure page, test to see if there is a cookie called 'customerToken'. If there is not a cookie, the user is not logged in and in your backend programming you should redirect them to /my-login-page

Accessing a Customer
If there is a cookie you want to ensure you can get the customer - call the Commerce7 API end point /customer/self (API docs here: https://api-docs.commerce7.com/docs/customers) and in the header pass customerToken as the authorization and the tenantId as the tenant. So the http header should look like this:

headers: {
  Authorization: customerTokenFromCookie,
  tenant: C7TenantId
}

The response of this call will be the customer object. The customer object can be inspected for groups, clubs, etc.

Important: On your secure page if the customer is logged in, but the customer does not met the security requirements (such as they aren't a club member and they need to be a club member) please DO NOT send them back to the login page as it will result in an infinite loop. Instead you need to message them that they don't have the required permissions to visit the page.

Questions? Reach out to [email protected] or hit us on Slack.