Last year, I spent some time experimenting with a Gmail add-on to integrate with WooCommerce. I was guessing that many WooCommerce store managers also use Gmail for email, and they probably get emails from users asking about order details, refunds, shipping estimates, etc. So I put together the code for a small Gmail add-on to show information for specific users when opening email from them.
The eventual result looks like the following:
The steps I put together will work for a free Gmail account and for paid Google Workspace accounts, so this is not limited to one environment or another.
Technical details
Under the covers, my add-on is using the WooCommerce REST API to search for orders using the email address, and then formatting the details returned in the search results. More specifically, I’ve calling the v3 orders API with the email address in the search field, and then using the returned data to show basic data about that user’s orders and show links to relevant places in wp-admin.
More broadly, I am also relying on the WooCommerce REST API keys being stored as part of the configuration for a Google Apps Script project, and then retrieving them at run-time. My instructions for getting this set up specifically call out granting only read permissions for the keys as a small mitigation.
For now, I have only worked out how to run the app in test mode, as Google’s Google Workspace App program requires validation for the app as a whole, which in turn depends on the WooCommerce site. So I don’t have a way to make this operational from a central location, or make it more automated. I have considered setting up a relay/proxy server to have a centralised way to manage the app, but that depends on users needing to trust my service as an intermediary (at least), and I have a day job.
Possible Risks
I do want to note that my approach is not completely without risk, though I don’t think it’s too risky overall. (Please feel free to correct me if I’m wrong about that!)
Key storage and exposure at the app level
The keys are currently stored as a configuration property of a Google Apps Script project. This means that they could be leaked in some way. It also means that when multiple users are granted access to the app, especially within an organisation within Google, all of them can access the data for your WooCommerce site.
In both cases, you should be able to rotate the key in the configuration, or remove the user from the list of users with access. Both actions are relatively straightforward, but would be easy to forget or miss.
Key and/or email address leakage via REST API calls
The API calls are made via GET calls using HTTP Basic authentication, with the current email address in the URL as a parameter. As such, it’s possible that both fields could be logged in flight, though it’s almost certain that the email address will be included in HTTP request logs, and likely some intermediary logs, depending on where you’re hosting your WooCommerce/WordPress site. This is an issue because email addresses are considered personal data, so there may be complications that stem from these email addresses being leaked or otherwise exposed, especially if the owner of the email address is covered by privacy laws like the GDPR.
My code does default to using HTTPS, so these values aren’t being sent in the clear, but they can still be leaked via your hosting provider’s web server logs.
Others?
I haven’t thought of any other risks, but I suspect they exist. Please let me know if you can think of any!
Want to try it?
You can see the full code in https://github.com/daledupreez/mini-crm-for-woo-in-gmail, and I’ve written full step-by-step instructions for you to follow. No coding skills are necessary beyond the ability to copy and paste, and you should be able to get this set up for your WooCommerce site pretty easily.
If you do end up giving this a spin, please let me know how it goes!
#woocommerce #gmail #crm
Slow Thoughts from Dale du Preez 
Leave a comment