Verify nonce in REST API?

You should pass the special wp_rest nonce as part of the request. Without it, the global $current_user object will not be available in your REST class. You can pass this from several ways, from $_GET to $_POST to headers.

The action nonce is optional. If you add it, you can’t use the REST endpoint from an external server, only from requests dispatched from within WordPress itself. The user can authenticate itself using Basic Auth, OAuth2, or JWT from an external server even without the wp_rest nonce, but if you add an action nonce as well, it won’t work.

So the action nonce is optional. Add it if you want the endpoint to work locally only.

Example:

/**
* First step, registering, localizing and enqueueing the JavaScript
*/
wp_register_script( 'main-js', get_template_directory_uri() . '/js/main.js', [ 'jquery' ] );
wp_localize_script( 'main-js', 'data', [
    'rest' => [
        'endpoints' => [
            'my_endpoint'       => esc_url_raw( rest_url( 'my_plugin/v1/my_endpoint' ) ),
        ],
        'timeout'   => (int) apply_filters( "my_plugin_rest_timeout", 60 ),
        'nonce'     => wp_create_nonce( 'wp_rest' ),
        //'action_nonce'     => wp_create_nonce( 'action_nonce' ), 
    ],
] );
wp_enqueue_script( 'main-js' );

/**
* Second step, the request on the JavaScript file
*/
jQuery(document).on('click', '#some_element', function () {
    let ajax_data = {
        'some_value': jQuery( ".some_value" ).val(),
        //'action_nonce': data.rest.action_nonce
    };

    jQuery.ajax({
        url: data.rest.endpoints.my_endpoint,
        method: "GET",
        dataType: "json",
        timeout: data.rest.timeout,
        data: ajax_data,
        beforeSend: function (xhr) {
            xhr.setRequestHeader('X-WP-Nonce', data.rest.nonce);
        }
    }).done(function (results) {
        console.log(results);
        alert("Success!");
    }).fail(function (xhr) {
        console.log(results);
        alert("Error!");
    });
});

/**
* Third step, the REST endpoint itself
*/
class My_Endpoint {
        public function registerRoutes() {
        register_rest_route( 'my_plugin', 'v1/my_endpoint', [
            'methods'             => WP_REST_Server::READABLE,
            'callback'            => [ $this, 'get_something' ],
            'args'                => [
                'some_value'     => [
                    'required' => true,
                ],
            ],
            'permission_callback' => function ( WP_REST_Request $request ) {
                return true;
            },
        ] );
    }

    /**
    *   @return WP_REST_Response
    */
    private function get_something( WP_REST_Request $request ) {
        //if ( ! wp_verify_nonce( $request['nonce'], 'action_nonce' ) ) {
        //  return false;
        //}

        $some_value        = $request['some_value'];

        if ( strlen( $some_value ) < 5 ) {
            return new WP_REST_Response( 'Sorry, Some Value must be at least 5 characters long.', 400 );
        }

        // Since we are passing the "X-WP-Nonce" header, this will work:
        $user = wp_get_current_user();

        if ( $user instanceof WP_User ) {
            return new WP_REST_Response( 'Sorry, could not get the name.', 400 );
        } else {
            return new WP_REST_Response( 'Your username name is: ' . $user->display_name, 200 );
        }
    }
}

Related Posts:

  1. When adding a custom REST endpoint, where do you put the endpoint function, and where do you put the function registration call?
  2. ensure user can only be logged in on one computer at a time?
  3. How to handle security on a wordpress site? [closed]
  4. How to build a child theme from a react-based parent theme?
  5. Updating Custom WordPress User Meta Field via REST API
  6. need help with a user-specific custom page template
  7. Custom API plugin to execute 3rd party API to retrieve data
  8. wp_nonce vs jwt
  9. How to get WordPress Theme Customizer options in the REST API?
  10. How to Password Protect whole site except for some subdirectories
  11. Do i need to use PHP in customizer api?
  12. What Is The Use Of map_meta_cap Filter?
  13. How to *remove* a parent theme page template from a child theme?
  14. How to disable page delete
  15. Need help with friendly URL’s in WordPress
  16. Show a WP 3.0 Custom Menu in an HTML Select with Auto-Navigation?
  17. How to add checkbox and radio button in Profile Page
  18. Widgets not working in Customizr but working in Appearance
  19. Posts not showing with custom categorybase and subcategories [closed]
  20. Best way to pass arguments to another page in WordPress
  21. REST-API: extend media-endpoint
  22. Gutenberg Blocks – Attributes from comment delimiter or from HTML?
  23. register_sidebar ‘after_widget’ on custom-built widgets not implementing, caused nested widgets
  24. Custom Login and Registration form in Ajax
  25. Rebuild vs Upgrade – need pointers, advice
  26. Changing editor-style.css style
  27. Can I develop a WordPress site without a domain?
  28. wp-json and what data does it give away?
  29. How to extend customize control types to list pages
  30. Customize the WordPress Default Gallery Output
  31. How to get rid of from overbooking car rental website [closed]
  32. Advanced Custom Fields: Sorting custom columns with custom fields sorts only by date
  33. Programmatically (PHP) get the nr. of items in the primary navigation menu
  34. Multi Site installation inside a sub domain inside a sub directory
  35. How to create left and right menu with logo center in a custom theme?
  36. Custom post type adds time/date and author to the post?
  37. How can I setup a wordpress site with multi country & multi lingual support
  38. 1 WordPress installation with 2 pages: every page gets a separate domain
  39. How to use default WP form elements to interact with custom DB table?
  40. REQUIRED: Could not find wp_link_pages. See: wp_link_pages by Theme Checker
  41. problem in uploading attachment to custom directory
  42. How do I add a promotional message to my posts?
  43. NextGEN Gallery – open all images on page in fancybox [closed]
  44. How to stop displaying the Id without losing the functionality
  45. How to update theme from localhost to online site
  46. Is it necessary to use Timthumb in WordPress 2.9+?
  47. How to show wp.me shortlink underneath each post?
  48. Divi: how to hide/show specific menu according current page?
  49. “woocommerce_form_field()” function having issues after latest woocommerce update [closed]
  50. buddypress remove username from autocomplete
  51. Change admin avatar only (without Gravatar or plugin)?
  52. When should I not use WordPress? [closed]
  53. How do I change the element using a custom function?
  54. Is it necessary to prefix theme_mod, section id and panel id in the customizer?
  55. How can i create menu like in the example?
  56. Can readers download zip files from WordPress sites?
  57. Create a custom admin panel
  58. Translate custom template with WPML
  59. Any Good WordPress Client Like Live Writer To Create Static Pages
  60. WordPress homepage hangs in IE browsers
  61. How to setup a membership system in WordPress?
  62. 404 errors when updating options in admin dashboard
  63. How can I resolve a .htaccess internal server error setting up a WordPress multisite?
  64. Is it possible to add custom badges to product attributes conditionally, based on custom field?
  65. Product page not found if product data is set Appointment Service
  66. I want to embed mystream video in my wordpress site
  67. Current menu item highlights wrong
  68. Measure time in ONLY HOUR format
  69. Avoid showing the same phrase in the loops
  70. How can error pages be customized
  71. Custom permalink structure for posts in certain categories
  72. Replace an URL with an new URL which has a “?” in it
  73. Hosing a website within a WordPress directory/folder
  74. Creating a dynamic URL for an external link inside content
  75. Child Theme – Changing Header
  76. remove or hide Link Relationship (XFN) form Menus tab
  77. Custom Single Template
  78. how to auto fille conatct form 7 when user is logined
  79. check_admin_referer not working in custom meta box for custom post type
  80. Displaying Child Page’s Information
  81. Changing ‘Add to cart’ button text and relink for some specific products [closed]
  82. adding a custom time class to in theme twenty sixteen
  83. wp_verify_nonce fails always
  84. ‘str_replace’ and ‘strtr’ not working inside plugin
  85. SAving PHP in custom wordpress option field
  86. Does WordPress support template resources/custom fields
  87. Change default “Apply Changes To” radio option when editing images
  88. How to use hook admin_init for add_action for custom post type column
  89. Edit a custom admin page
  90. Remove Twenty Twelve themes responsiveness in Internet Explorer
  91. Looking for a way to take readers to random post when clicking a link
  92. WordPress uploads directory. Featured Images storage
  93. Cannot upload to S3 using CDN Sync Tool
  94. Custom Import with taxonomies
  95. Upgrade to 3.1.1 Fails
  96. Very Simple Geo targeting
  97. Consolidate ‘add-to-cart’ buttons into one ‘add-all-to-cart’ button
  98. Update to WordPress 4.9.2, but have heavily customized theme
  99. Storing form data into wordpress database [closed]
  100. Post interior margin in twenty eleven theme

Leave a Comment