How to force Authentication on REST API for Password protected page using custom table and fetch() without Plugin

After studying carefully 🤓 the WordPress REST API Handbook concerning

Home / REST API Handbook / Extending the REST API / Routes and Endpoints
Home / REST API Handbook / Extending the REST API / Adding Custom Endpoints

I realized I made a couple of mistakes.

Therefore, I wanted to share with you my findings.

Also, at the end I have some additional questions out of curiosity.

1.) Pass object ‘$request’ to the callback functions:

Before:function get_your_data() { ...
After : function get_your_data($request) { ...

2.) Create namespace and route outside of wp/v2 with your own version number:

Before:register_rest_route( 'wp/v2/your_private_page', '/data', array( ...
After : register_rest_route( 'your_private_page/v1', '/data', array( ...

Also adapt http-request URLs in your client side script:

Before:let url="https://example.com/wp-json/wp/v2/your_private_page/data";
After : let url="https://example.com/wp-json/your_private_page/v1/data";

3.) Add ‘permission_callback’ to your routes:

Before: I didn’t have it (just had the main callbacks)
After : Added prefix_get_private_data_permissions_check() as Permission Callback function

//  Permission Callback 
// 'ypp' is the Prefix I chose (ypp = Your Private Page)

function ypp_get_private_data_permissions_check() {
    // Restrict endpoint to browsers that have the wp-postpass_ cookie.

    if ( !isset($_COOKIE['wp-postpass_'. COOKIEHASH] )) {
       return new WP_Error( 'rest_forbidden', esc_html__( 'OMG you can not create or edit private data.', 'my-text-domain' ), array( 'status' => 401 ) );
    };
    // This is a black-listing approach. You could alternatively do this via white-listing, by returning false here and changing the permissions check.
    return true;
};

// And then add the permission_callback to your POST and PUT routes:

add_action('rest_api_init', function() {
    /**
    * Register here your custom routes for your CRUD functions
    */
    register_rest_route( 'your_private_page/v1', '/data', array(
       array(
          'methods'  => WP_REST_Server::READABLE,
          'callback' => 'get_your_data',
          // Always allow.
          'permission_callback' => '__return_true' // <-- good practice, according to docs
       ),
       array(
          'methods'  => WP_REST_Server::CREATABLE,
          'callback' => 'insert_your_data',
          // Here we register our permissions callback. The callback is fired before the main callback to check if the current user can access the endpoint.
          'permission_callback' => 'ypp_get_private_data_permissions_check', // <-- that was the missing part
       ),
       array(
          'methods'  => WP_REST_Server::EDITABLE,
          'callback' => 'update_your_data',
          // Here we register our permissions callback. The callback is fired before the main callback to check if the current user can access the endpoint.
          'permission_callback' => 'ypp_get_private_data_permissions_check', // <-- that was the missing part
       ),
    ));
});

Obviously, that makes a lot of sense, because it’s on the server side (WordPress, php) where the authorization has to take place (dummy me, he he he)

4.) Complete code:

Following code-snippets worked for my selfhosted WordPress installation:

WordPress: version 5.7.2
PHP: version 7.4
host: hostmonster.com
client: Windows 10
browsers: tested on Chrome, Firefox, even Edge 😜 worked

Code (HTML with inline <script> ... </script>):

<form id="form1" name="form1">
  <button id="get" onclick="getValues()">GET</button>
  <button id="insert" onclick="insertValues()">CREATE</button>
  <button id="update" onclick="updateValues()">UPDATE</button>
</form>

<script>
let yourData = [];
let yourDataNew = {};
let yourDataUpdated = {};
let token = "";

function getValues() {
  event.preventDefault();
  //READ data
  getYourData();
};
function insertValues() {
  event.preventDefault();
  //CREATE new datarecord
  yourDataNew = {"column_1": "test-1", "column_2": "test-2"};
  insertYourData(yourDataNew);
};
function updateValues() {
  event.preventDefault();
  //UPDATE datarecord
  let idOfLastRecord = yourData[yourData.length-1].id;
  yourDataUpdated = {"id": idOfLastRecord, "column_1": "test-1-modified", "column_2": "test-2-modified"};
  updateYourData(yourDataUpdated);
};

// We don't need to retrieve token form Cookie. See my EDIT at the end

//GET value of Access Cookie wp-postpass_{hash}
//token = ("; "+document.cookie).split("; wp-postpass_675xxxxxx   =").pop().split(";").shift(); 
//console.log('TOKEN: ' + token);

// Here comes the REST API part:
// HTTP requests with fetch() promises
function getYourData() {
  let url="https://example.com/wp-json/your_private_page/v1/data";
  fetch(url, {
    method: 'GET',
    credentials: 'same-origin',
    headers:{
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        //'Authorization': 'Bearer ' + token  <-- not needed, see EDIT at end
    }
  }).then(res => res.json())
  .then(response => get_success(response))
  .catch(error => failure(error));
};

function insertYourData(data) {
  let url="https://example.com/wp-json/your_private_page/v1/data";
  fetch(url, {
    method: 'POST',
    credentials: 'same-origin',
    headers:{
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        //'Authorization': 'Bearer ' + token  <-- not needed, see EDIT at end
    },
    body: JSON.stringify(data)
  }).then(res => res.json())
  .then(response => create_success(response))
  .catch(error => failure(error));
};

function updateYourData(data) {
  let url="https://example.com/wp-json/your_private_page/v1/data";
  fetch(url, {
    method: 'PUT',
    credentials: 'same-origin',
    headers:{
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        //'Authorization': 'Bearer ' + token  <-- not needed, see EDIT at end
    },
    body: JSON.stringify(data)
  }).then(res => res.json())
  .then(response => update_success(response))
  .catch(error => failure(error));
};

// fetch() promises success functions:
function get_success(json) {
  data = JSON.stringify(json);
  yourData = JSON.parse(data);
  console.log('GET');
  console.log(yourData);
};
function create_success(json) {
  let insertResponse = JSON.stringify(json);
  insertResponse = JSON.parse(insertResponse);
  console.log('CREATE');
  console.log(insertResponse);
};
function update_success(json) {
  let updateResponse = JSON.stringify(json);
  updateResponse = JSON.parse(updateResponse);
  console.log('UPDATE');
  console.log(updateResponse);
};
function failure(error) {
  console.log("Error: " + error);
};

</script>

Code (PHP code in function.php of my installed theme):

/**
 * Add here your custom CRUD functions
 */

/**
  * This is our callback function to return (GET) our data.
  *
  * @param WP_REST_Request $request This function accepts a rest request to process data.
  */
function get_your_data($request) {
    global $wpdb;
    $yourdata = $wpdb->get_results("SELECT * FROM your_custom_table");

    return rest_ensure_response( $yourdata );
};

/**
 * This is our callback function to insert (POST) new data record.
 *
 * @param WP_REST_Request $request This function accepts a rest request to process data.
 */
function insert_your_data($request) {
    global $wpdb;
    $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';

    if ($contentType === "application/json") {
        $content = trim(file_get_contents("php://input"));
        $decoded = json_decode($content, true);
        $newrecord = $wpdb->insert( 'your_custom_table', array( 'column_1' => $decoded['column_1'], 'column_2' => $decoded['column_2']));
    };
    if($newrecord){
        return rest_ensure_response($newrecord);
    }else{
        //something gone wrong
        return rest_ensure_response('failed');
    };

    header("Content-Type: application/json; charset=UTF-8");
};
/**
 * This is our callback function to update (PUT) a data record.
 *
 * @param WP_REST_Request $request This function accepts a rest request to process data.
 */
function update_your_data($request) {
    global $wpdb;
    $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';

    if ($contentType === "application/json") {
        $content = trim(file_get_contents("php://input"));
        $decoded = json_decode($content, true);
        $updatedrecord = $wpdb->update( 'your_custom_table', array( 'column_1' => $decoded['column_1'], 'column_2' => $decoded['column_2']), array('id' => $decoded['id']), array( '%s' ));
    };

    if($updatedrecord){
        return rest_ensure_response($updatedrecord);
    }else{
        //something gone wrong
        return rest_ensure_response('failed');
    };

    header("Content-Type: application/json; charset=UTF-8");
};

// 'ypp' is the Prefix I chose (ypp = Your Private Page)
function ypp_get_private_data_permissions_check() {
    // Restrict endpoint to browsers that have the wp-postpass_ cookie.

    if ( !isset($_COOKIE['wp-postpass_'. COOKIEHASH] )) {
        return new WP_Error( 'rest_forbidden', esc_html__( 'OMG you can not create or edit private data.', 'my-text-domain' ), array( 'status' => 401 ) );
    };
    // This is a black-listing approach. You could alternatively do this via white-listing, by returning false here and changing the permissions check.
    return true;
};

add_action('rest_api_init', function() {
    /**
    * Register here your custom routes for your CRUD functions
    */
    register_rest_route( 'your_private_page/v1', '/data', array(
        array(
           'methods'  => WP_REST_Server::READABLE,
           'callback' => 'get_your_data',
           // Always allow.
           'permission_callback' => '__return_true'
        ),
        array(
           'methods'  => WP_REST_Server::CREATABLE,
           'callback' => 'insert_your_data',
           // Here we register our permissions callback. The callback is fired before the main callback to check if the current user can access the endpoint.
           'permission_callback' => 'ypp_get_private_data_permissions_check',
        ),
        array(
           'methods'  => WP_REST_Server::EDITABLE,
           'callback' => 'update_your_data',
           // Here we register our permissions callback. The callback is fired before the main callback to check if the current user can access the endpoint.
           'permission_callback' => 'ypp_get_private_data_permissions_check',
        ),
    ));
});

5.) Testing

Finally got my so desperately anticipated FAILURE 😊

Finally got my so desperately anticipated FAILURE 😊

Final Question, though:

Is 'Authorization': 'Bearer ' + token necessary in header of HTTP request?

After some testing, I realized that if ( !isset($_COOKIE['wp-postpass_'. COOKIEHASH] )) { within the Permission Callback not only checks if the Cookie is set on client browser, but it seems also to check its value (the JWT token).

Because I dobble checked as with my initial code, passing a false token, eliminating the cookie, or leaving session open but changing in the back-end the password of site (hence WordPress would create a new token, hence value of set wp_postpass_ cookie would change) and all test went correctly – REST API blocked, not only verifying presence of cookie, but also its value (which is good – thank you WordPress team).

My Questions here:

  • Can I leave out the 'Authorization': 'Bearer ' + token within my
    HTTP request header ?
  • Hence, do I have to retrieve at all the cookie value (token) or was it not necessary?

I am not sure whether I got it completely right now. Any comments and suggestions are so welcome.

Thank you.

EDIT:

I found the answer to my 2 questions above in the FAQ section:

Why is the REST API not verifying the incoming Origin header? Does this expose my site to CSRF attacks?

Because the WordPress REST API does not verify the Origin header of incoming requests, public REST API endpoints may therefore be accessed from any site.
This is an intentional design decision.

However, WordPress has an existing CSRF protection mechanism which uses nonces.

And according to my testing so far, the WP-way of authentication works perfectly well.

Thumbs up 👍 for the WordPress team

Related Posts:

  1. Custom endpoint filtering post by custom taxonomies
  2. How to add field to custom post type endpoint
  3. With Rest V2 (WP4.7) how does one restrict certain RESTFUL verbs?
  4. Add extra parameters after permalink?
  5. Handling front-end file uploads, considering safety and ease of use
  6. Fetch All Posts (Including Those Using a Custom Post Type) With WordPress API
  7. Update CPT meta data using REST API
  8. How do I Filter Custom Post Type by Custom Taxonomy in the newest WordPress RESTful API?
  9. WordPress REST Create Post of Custom Type
  10. REST API: How can I restrict a custom post type to only be accessible by authenticated users?
  11. Show custom post type endpoint in REST API just if user has capability
  12. WP Rest API Querying Custom Posts by ACF fields
  13. Add Capabilities to Custom Post Type after it has been created [duplicate]
  14. How to get dynamically custom post type that are under a certain category
  15. Get the Category Name instead of ID from WP-API
  16. Remove tinyMCE from admin and replace with textarea
  17. Rest Api v2 orderby meta_key in custom post type
  18. Get custom post type REST API not working
  19. Add extra parameters after permalink?
  20. How to add custom fields to admin UI and REST API response?
  21. WordPress Rest API only returns content when posttype has editor capability
  22. Custom search with Custom Fields in WP REST API?
  23. Wp Rest API request posts from a custom taxonomy
  24. Recommended way to remove WP REST API returned data for custom post
  25. add_rewrite_endpoint() and Custom Post Type Archive
  26. Custom Post Type and API REST is not working
  27. Add custom post type to Backbone collections
  28. React post to WordPress custom post type
  29. Custom Post type with ACF in REST API, how do I get those values?
  30. is_main_query() not working for WP REST API
  31. Very simple wordpress block to display posts from an api call
  32. Add custom parameter to REST API request of a custom post type?
  33. Custom Taxonomy Invalid in REST API
  34. How do I get the intended post type of a revision post?
  35. Using The REST API How To Pull All Custom Posts?
  36. Restrict custom post type from appearing with ?post_types=
  37. Cannot add custom field to “orderby” parameter in Rest API
  38. Getting meta in editor plugin, and event triggering issue
  39. How to force JWT auth for default GET endpoints of WordPress rest api?
  40. Expose a custom field of a custom post type to the REST API
  41. How to create custom post by using REST API securely?
  42. Custom post type archive page – Posts overview – with one modal for multiple posts?
  43. WP Rest API – How to get an empty response if query has no posts
  44. Callback to custom field is not working in WordPress REST API
  45. Custom Post Type not showing in Rest API on Multisite
  46. post meta parameter in post custom-post-type endpoint with restapi
  47. Manage custom post type in woocommerce /my-account/ page
  48. Exclude objects from WordPress API based from ACF field using rest_prepare_{$post_type}
  49. filter custom post in rest api with custom function
  50. API Rest Custom Post Type doesn’t return all data
  51. Custom REST endpoints for a custom post type with custom fields
  52. A case for Hierarchical Custom Posts
  53. Authenticating user for custom post type [closed]
  54. How to add/edit advanced custom fields on custom post type’s WordPress REST API?
  55. How to get all post of custom post type by rest api?
  56. Create custom post with meta field with AJAX and the WordPress REST API
  57. WordPress API for custom post types returns rest_no_route
  58. set_query_params using custom params defined in functions file?
  59. How to see posts in taxonomy endpoint
  60. WP API Response does not show my registered metadata
  61. REST filters only firing when I have a param set
  62. custom endpoints on Custom Post Type return 404 page not found
  63. Custom REST endpoint not working to retrieve single posts (“rest_no_route”)
  64. How to add a filter to a custom post type to get adjacent custom posts via the REST API
  65. How to handle new post from API request?
  66. wp-json API: not logged in when clicking link to the API from admin mode
  67. Custom Post Type API doesn’t show taxonomy or category array
  68. Custom Endpoint For Custom Post Type from Child Theme
  69. How to make an API call to a custom post type but filtering by meta value?
  70. Fetching custom post type without knowing post type (REST API)
  71. WordPress REST API V2: “{CUSTOM_POST_TYPE} matches Term ID List and Term ID Taxonomy Query, but should match only one.”
  72. no_rest_route in Unit Testing for REST endpoint for CPT registered via show_in_rest
  73. How can I create new CustomPostType record using wp.api.collections?
  74. wp rest api orderby field in a custom table
  75. How To Read Read Custom Post Type Data in Headless CMS Mode
  76. Custom Endpoint For Specific Custom Post Type
  77. WP_Query: how to search tags in addition to a custom post type?
  78. How can I sort the results of a REST API response by the title of a connected custom post type?
  79. How to filter a matched value with custom key using WP REST API?
  80. URL issue retrieving Custom Post Types using Backbone JS API
  81. Create API’s for custom-post types & custom queries using REST or Graphql
  82. Action on Custom Post publish
  83. Get Custom Post types data from the API
  84. How can I add a meta[] to my custom post type and search by term with the Rest API?
  85. register_rest_field update_callback don’t work for $_FILES
  86. localize_script or rest api
  87. Issue with CPT posts within WP REST API showing as []
  88. Saving custom post types post_meta over REST-API fails
  89. WP REST API Custom endpoint don’t work in my plugin
  90. filter rest api post by a acf filed
  91. Delete all custom posts then upload a new CSV of events
  92. check_admin_referer not working in custom meta box for custom post type
  93. Rewrite Endpoint Url without ? before endpoint
  94. Store custom post type with JSON content
  95. querying to custom field over ACF REST API
  96. Create settings page to enable or disable CPT
  97. Securing REST API wp-json/wp/v2/users endpoint
  98. Get all posts of any post type in a category from REST API
  99. Make term slugs of custom taxonomy available in WP REST API for custom post type?
  100. upload image with rest API to the media library

Leave a Comment