Nonce validation in REST API

In a headless WordPress setup where you are using JWT for authentication, the standard nonce mechanism provided by wp may not directly fit your needs, especially when dealing with preview functionality. The nonce generated by wp is typically tied to the users session, which is not compatible with JWT authentication.

One approach to solve this issue is to create a custom nonce mechanism that works with your JWT authentication

// Step 1: Custom endpoint to generate nonce
add_action('rest_api_init', function () {
    register_rest_route('custom/v1', '/nonce', array(
        'methods' => 'GET',
        'callback' => 'generate_custom_nonce',
        'permission_callback' => function () {
            return current_user_can('read'); // Adjust permission as needed
        }
    ));
});

function generate_custom_nonce(WP_REST_Request $request) {
    // Generate nonce based on user's JWT token
    $user_id = get_current_user_id();
    $nonce = wp_create_nonce('custom_action_' . $user_id);
    
    return rest_ensure_response($nonce);
}

// Step 2: Validate nonce in requests
add_action('rest_api_init', function () {
    register_rest_route('custom/v1', '/preview', array(
        'methods' => 'GET',
        'callback' => 'get_preview_data',
        'permission_callback' => function () {
            return current_user_can('read'); // Adjust permission as needed
        }
    ));
});

function get_preview_data(WP_REST_Request $request) {
    $nonce = $request->get_header('X-Custom-Nonce'); // Get nonce from header
    $valid_nonce = wp_verify_nonce($nonce, 'custom_action_' . get_current_user_id());
    
    if (!$valid_nonce) {
        return new WP_Error('invalid_nonce', 'Invalid nonce.', array('status' => 403));
    }

    // Proceed to fetch preview data
    // Your code to fetch and return preview data
}

Related Posts:

  1. WP REST API: check if user is logged in
  2. Can’t GET draft posts via REST API from headless frontend
  3. Full page NGINX (or Cloudflare) caching and WordPress nonces
  4. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  5. Passing a borrowed nonce through Postman fails
  6. permission_callback has no effect
  7. WP REST API – Nonce passes wp_verify_nonce even after logout
  8. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  9. Backbone with custom rest endpoints
  10. Log in user using WordPress REST API
  11. wp_nonce vs jwt
  12. Getting 401 unauthenticated error in WP Rest API revisions
  13. Register rest field authentication with REST API
  14. Rest API nonce is being cached
  15. Is the WordPress REST API installed and enabled in a vanilla WordPress 4.7 installation?
  16. check the requesting url
  17. WP REST API Require Password for GET Endpoint
  18. How to use _embed when using _fields?
  19. WP REST API V2 – Retrieve sub page by full slug (URL/Path)
  20. Verify nonce in REST API?
  21. Filter posts by multiple custom taxonomy terms using AND operator in REST API v2 (WordPress)
  22. WP REST API core major changes
  23. How to use the WP REST API for new user registration (sign up form)?
  24. Can I authenticate with both WooCommerce consumer key and JWT?
  25. Adding post fields in wp-json/wp/v2/search
  26. Unable to get the info of the user which doesn’t have created any post via REST API
  27. WordPress Gutenberg get page template value when post updated?
  28. How to update custom meta fields with rest api?
  29. Rest API invalid nonce with Backbone Client
  30. apiFetch security
  31. Rest API and Custom Fields
  32. WP Rest API: Get User by Email
  33. Gutenberg Custom Block Getting All Posts
  34. Can we assume that /wp-json/ will always be /wp-json/ under any circumstances when creating custom REST routes?
  35. How to use current_user_can() in register_rest_route()?
  36. How to hook into “register_rest_field” to modify the behavior of a custom field?
  37. Get all PDF files from page with WordPress API
  38. current_user_can(‘administrator’) returns false when I’m logged in
  39. How to add / embed an author into REST data from a custom post type?
  40. WordPress REST API json – How to activate gzip compression?
  41. How to enable the view of revisions of post in WordPress Api for custom post type?
  42. Problem on creating custom endpoints for REST
  43. New user signup via REST API
  44. Ho to style post content for WordPress API?
  45. WordPress custom endpoint returning blank response
  46. How to force JWT auth for default GET endpoints of WordPress rest api?
  47. WP REST API can’t set post tags
  48. WP API post__not_in is not working
  49. WP Rest Api- Update callback (POST request) to existing database table through the rest api
  50. Save default options as an array of options and display in REST API
  51. Sidebar endpoint using WordPress API
  52. Get custom posts in gutenberg block
  53. [Zapier + WP Webhooks Pro]: Custom Fields get cut off at first comma or semicolon
  54. Which route in the WP REST API do I access data passed into register_setting()?
  55. Getting 401 (access denied) when trying to use the REST API
  56. WP rest api endpoint protection using jwt token
  57. WP Rest API – Change response status code for failed validation request
  58. Unable to create a Rest end-point
  59. WordPress REST API not working on localhost
  60. /wp-json/wp/v2/posts/?app=3 is returning random scripts tags
  61. User following system via REST API
  62. REST API – Allow /users endpoint depending on a custom capability
  63. 403 Error When Fetching Data from the Settings Rest Route for Non-Admin Users
  64. REST API post times out when content is too large
  65. Can I overwrite default WordPress Json API For no more pages text
  66. Secure WordPress API, how?
  67. Create User with Profile and Cover Images using REST API
  68. Media gallery images url instead of ID on WP API
  69. What’s the right way to validate JSON data coming from an AJAX POST request?
  70. Remove unwanted fields from WP API response
  71. WordPress and React how to integrate? [closed]
  72. WordPress Custom Rest Api – How to get Image Url?
  73. WordPress API “code”:”rest_no_route” with Custom Route
  74. Users REST API not working?
  75. WordPress Update Role using API Cross site
  76. Rest API. Post content
  77. Error rest_post_invalid_page_number trying to call Rest API
  78. Is it possible to combine two rest endpoints in the url?
  79. use WordPress Rest API to build a web application
  80. REST Request Post including meta/custom fields
  81. WordPress api returns distinct data
  82. Redefine REST API variables
  83. How to use WordPress rest API with Angularjs 4 [closed]
  84. Retrieve posts by page in wp rest api
  85. Where is the HTML content for my post in the API
  86. How to change WordPress api v2
  87. REST API Integration without user account?
  88. WP_REST_Request::get_json_params() Parsing null as Zero
  89. WP REST API with Basic Auth at target website
  90. API request forbidden when requesting from same domain
  91. Custom WP Rest API Endpoints from JSON Schema
  92. Get custom data from the user REST API endpoint
  93. Custom rest api endpoint response json problem
  94. JS WordPress API fetch no response headers
  95. WordPress custom endpoint returns Security violated
  96. custom REST endpoints and application passwords
  97. WordPress REST API custom endpoint not allowing multiple parameters
  98. How can I retrieve the original content in a page via REST API, content that I pushed myself also via API?
  99. How to get attributes from a post requested via the JSON API?
  100. Retrieving Deleted Scheduled Posts via WordPress REST API
deneme bonusudeneme bonusu veren sitelerpulibet girişOnwin Güncel Giriştürkçe altyazılı pornocanlı bahis casino