x
Your opinion in 1 minute.
Help us improve by answering 4 quick questions.
Take Survey Now
3.146.37.35
3.146.37.35
Start Thread
Can't find what you're searching for? Start Thread
Announcements
To submit or check the status of a POS feature request, please visit Ideate.
vic18t
‎07-27-2020 07:46 PM

Why must Orders API require access to all sales history?

Hi I have been working with a 3rd party using the Orders API and discovered they have full access to all of my sales history:

 

https://developer.squareup.com/reference/square/orders-api

I think this is a terrible implementation. Why must the merchant disclose all of their sales history to a 3rd party that is only pushing orders?

 

I already had a 3rd party tell me average total sales of my competitors who use the Orders API. I was curious how they knew this info, now I know.

This is a serious security flaw that merchants should be aware of.

Labels:
Reply
897 Views
Message 1 of 5
Report
4 REPLIES 4
ashc
Square Community Moderator
‎07-29-2020 08:25 AM

Hey @vic18t,

 

I reached out to our API team for ya and got this response:

 

For “only pushing orders”, the developer (3rd party app) would only need ORDERS_WRITE permissions, assuming they’re using OAuth (which they should be). This means, they wouldn’t have access to read the orders. If the 3rd party app requested ORDERS_READ, the merchant would’ve been notified of all the permissions being requested before the merchant could accept (again, assuming they’re doing OAuth).

Ashley C
Community Moderator, Square
Sign in and click Mark as Best Answer if my reply answers your question.
Reply
0 Likes
837 Views
Message 2 of 5
Report
vic18t
‎07-29-2020 10:47 AM

In response to ashc

Thank you Ashley!

 

It may be possible to Create Orders without Orders Read, but for a robust solution, the 3rd party would need some Read Access. For instance, reconciliation of an order that experienced a network error or for some reason the didn’t receive a JSON response from Square.

 

I think what is needed here is to limit the scope order history look-up similarly to how the Employee API is setup (I believe it has a 60 day limit option).

 

Can Square either add this date limiting feature and or limit order histories to only orders made by the 3rd party? The latter would be preferred. 

I know this would be a serious privacy issue if all merchants were made aware of this.

Reply
833 Views
Message 3 of 5
Report
ashc
Square Community Moderator
‎07-29-2020 10:52 AM

In response to vic18t

@vic18t I'm not trained in anything API related so I do apologize if i'm not addressing the question or if this makes sense but they also stated:

 

If they didn’t use OAuth, and instead gave the 3rd party their API credentials (which is common, but not the best way to do it), then, yes, they would have access to all of their API-related activities (sales, customers, etc). We do not recommend this approach, though.

Ashley C
Community Moderator, Square
Sign in and click Mark as Best Answer if my reply answers your question.
Reply
0 Likes
830 Views
Message 4 of 5
Report
vic18t
‎07-29-2020 11:08 AM

In response to ashc

We are using OAuth.

Reply
0 Likes
827 Views
Message 5 of 5
Report
Anonymous
© 2022 Square, Inc.