Make authorization mandatory on custom routes

Late, but maybe helpful for other readers as I added solution specifically to above code of this question.

Solution: Permission Callback function

WordPress: version 5.7.2
PHP: version 7.4
host: hostmonster.com
client: Windows 10
browsers: tested on Chrome, Firefox, even Edge 😜 worked

Code (PHP code in function.php of your installed theme):

add_action('rest_api_init', function() {
    /**
     * Register here your custom routes for your CRUD functions
     */
    register_rest_route( 'mysite/v1', '/ads/', array(
        array(
            'methods'  => WP_REST_Server::READABLE, // = 'GET'
            'callback' => 'get_ads',
            // Always allow, as an example
            'permission_callback' => '__return_true'
        ),
        array(
            'methods'  => WP_REST_Server::CREATABLE, // = 'POST'
            'callback' => 'create_ad',
            // Here we register our permissions callback
            // The callback is fired before the main callback to check if the current user can access the endpoint
            'permission_callback' => 'prefix_get_private_data_permissions_check',
        ),
    ));
});

// The missing part:
// Add your Permission Callback function here, that checks for the cookie
// You should define your own 'prefix_' name, though

function prefix_get_private_data_permissions_check() {
    // Restrict endpoint to browsers that have the wp-postpass_ cookie.

    if ( !isset($_COOKIE['wp-postpass_'. COOKIEHASH] )) {
        return new WP_Error( 'rest_forbidden', esc_html__( 'OMG you can not create or edit private data.', 'my-text-domain' ), array( 'status' => 401 ) );
    };
    return true;
};

function create_ad() {
    global $wpdb;

    $result = $wpdb->query(...);

    return $result;
}

function get_ads() {
    global $wpdb;

    $ads = $wpdb->get_results('SELECT * from `ads`');

    return $ads;
}

Make sure to include in your HTML page credentials: 'same-origin' in your HTTP request.

Code (HTML with inline <script> ... </script>):

<script>

// Here comes the REST API part:
// HTTP requests with fetch() promises

function getYourAds() {
  let url="https://example.com/wp-json/mysite/v1/ads/";
  fetch(url, {
    method: 'GET',
    credentials: 'same-origin', // <-- make sure to include credentials
    headers:{
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        //'Authorization': 'Bearer ' + token  <-- not needed, WP does not check for it
    }
  }).then(res => res.json())
  .then(response => get_success(response))
  .catch(error => failure(error));
};

function insertYourAds(data) {
  let url="https://example.com/wp-json/mysite/v1/ads/";
  fetch(url, {
    method: 'POST',
    credentials: 'same-origin', // <-- make sure to include credentials
    headers:{
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        //'Authorization': 'Bearer ' + token  <-- not needed, WP does not check for it
    },
    body: JSON.stringify(data)
  }).then(res => res.json())
  .then(response => create_success(response))
  .catch(error => failure(error));
};

// your Success and Failure-functions:

function get_success(json) {
  // do something here with your returned data ....
  console.log(json);
};

function create_success(json) {
  // do something here with your returned data ....
  console.log(json);
};

function failure(error) {
  // do something here ....
  console.log("Error: " + error);
};

</script>

Final thoughts:

Is 'Authorization': 'Bearer ' + token necessary in header of HTTP request?

After some testing, I realized that if ( !isset($_COOKIE['wp-postpass_'. COOKIEHASH] )) { ... within the Permission Callback not only checks if the Cookie is set on client browser, but it seems also to check its value (the JWT token).

Because I dobble checked as with my initial code, passing a false token, eliminating the cookie, or leaving session open but changing in the back-end the password of site (hence WordPress would create a new token, hence value of set wp_postpass_ cookie would change) and all test went correctly – REST API blocked, not only verifying presence of cookie, but also its value (which is good – thank you WordPress team).

Sources:
I found following resource concerning above thoughts in the FAQ section:

Why is the REST API not verifying the incoming Origin header? Does this expose my site to CSRF attacks?

Because the WordPress REST API does not verify the Origin header of
incoming requests, public REST API endpoints may therefore be accessed
from any site. This is an intentional design decision.

However, WordPress has an existing CSRF protection mechanism which
uses nonces.

And according to my testing so far, the WP-way of authentication works perfectly well.

Thumbs up 👍 for the WordPress team

Additional 2 sources from the WordPress REST API Handbook:

REST API Handbook / Extending the REST API / Routes and Endpoints
REST API Handbook / Extending the REST API / Adding Custom Endpoints

For those interested in full story of my findings, following link to my thread with answers, code snippets and additional findings.

How to force Authentication on REST API for Password protected page using custom table and fetch() without Plugin

Related Posts:

  1. How to: Make JWT-authenticated requests to the WordPress API
  2. WordPress Rest API: How do we validate with our custom API key?
  3. How to Authenticate WP REST API with JWT Authentication using Fetch API
  4. authentication issue with rest api – rest_cannot_create
  5. Can I authenticate with both WooCommerce consumer key and JWT?
  6. WP REST API: check if user is logged in
  7. How to login to WordPress site using basic authentication HTTP headers?
  8. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  9. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  10. Can’t GET draft posts via REST API from headless frontend
  11. Create Session with JWT
  12. WP REST API GET Requests require authentication
  13. current_user_can(‘administrator’) returns false when I’m logged in
  14. Authenticating with REST API
  15. WP REST API – Nonce passes wp_verify_nonce even after logout
  16. How to force JWT auth for default GET endpoints of WordPress rest api?
  17. REST API: best place to set current user for JWT auth?
  18. WordPress + REST API v2 and private pages Load by slug
  19. REST API authentication for a plugin
  20. PHP: authenticate for a REST request?
  21. Rest API basic auth not working
  22. Authenticate current user to REST API
  23. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  24. Getting 401 from ajax using an application password
  25. How to connect android app with WordPress website?
  26. WordPress REST API calls that depend on the WordPress User
  27. WordPress HTTP API NTLM Authentication
  28. Advanced Access Manager: RESTful endpoint to refresh token
  29. Best Authetication between REST API and Mobile App
  30. Log in user using WordPress REST API
  31. Secure WordPress API, how?
  32. wp_nonce vs jwt
  33. register/login api
  34. How can I secure my custom rest api endpoint or add under a already existing rest group
  35. Register rest field authentication with REST API
  36. REST API Integration without user account?
  37. WP REST API with Basic Auth at target website
  38. Cant POST with REST API on WordPress
  39. REST API – Authentication/Logon security
  40. custom REST endpoints and application passwords
  41. wordpress rest api authentication failed
  42. How to use WP-REST API to login user and get user data for Android app?
  43. Getting user meta data from WP REST API
  44. WP REST API returns blank response if post is too long
  45. how to authenticate for the REST API from a plugin and from command line
  46. Increase per_page limit in REST API
  47. How to feed a HTML5’s EventSource with a REST API custom endpoint?
  48. Retrieve CSS and JS From the REST API
  49. WordPress 4.7 REST API endpoints
  50. REST API multiple media upload
  51. 401 Error when trying to make a REST API call to site
  52. Does jQuery/Ajax send cookies when using the rest API or do I need to somehow add them?
  53. Android authentication
  54. Upload image to wordpress using REST API
  55. Can I define multiple callback methods depending on the call method?
  56. Filter post content in REST API
  57. How add meta fields to a user with the wp-api?
  58. WordPress Rest API response
  59. Send request to WordPress REST API
  60. Request to REST endpoint works fine in browser and curl, but fails from WP_REST_Request
  61. WP REST api.wordpress.org discovery
  62. Rest API in integration tests – filtering by slug not working?
  63. Why does AWStats show /wp-json* as Viewed URLs
  64. How send get request to external api with username and password
  65. permission_callback has no effect
  66. Updating link on page via REST api
  67. featured image not found in json from wp rest api
  68. is it possible to filter a rest api endpoint by using a registered rest field?
  69. Ho to style post content for WordPress API?
  70. rendering view in backbone
  71. Update a post based on results from GET request to another server
  72. Manipulating/view postmeta remotely
  73. Check authentication credentials using WP REST API
  74. WordPress REST API V2: how to get list of all posts?
  75. How to get data from /wp-json/wp/v2/users/me
  76. WordPress REST API parameters are not affecting a response
  77. Update meta_value in wp_postmeta using API
  78. WordPress plugin with CORS
  79. /wp-json/wp/v2/posts/?app=3 is returning random scripts tags
  80. User following system via REST API
  81. “Error: cURL error 60: SSL certificate problem: certificate has expired” when create product in WooCommerce via REST API
  82. How to use WordPress REST api to login a user?
  83. Wrong encoding of dynamic block properties problem when loggen in as editor
  84. Need wp rest api for featured video post
  85. REST api header link href
  86. WordPress & React Native
  87. Is it possible to combine two rest endpoints in the url?
  88. update meta data (like view counter) by rest-api
  89. Rest API hook ‘rest_insert_post’ not returning request object
  90. How Can I keep password protected posts in the json requests but not on frontend queries?
  91. How to use WordPress rest API with Angularjs 4 [closed]
  92. Retrieve posts by page in wp rest api
  93. How to change WordPress api v2
  94. Delete row from table using custom endpoint via API
  95. Fetch post by author slug
  96. How can I set the default ‘orderby’ and ‘order’ parameters for a REST API call?
  97. Problem with custom WordPress Rest API search route with query parameters
  98. What filtering is available for backbone.js?
  99. Login and register by API
  100. Woocommerce API for calling products by Category ID
techhipbettruvabetnorabahisbahis forumutaraftarium24eduedueduseduedusedusedueduedusedus