WP REST API: check if user is logged in

You shouldn’t pass your nonce to your JavaScript to verify it, since client side scripts can be easily manipulated. Instead, you should get the nonce from your front-end content, and then pass it to server to verify it.

After verification, you should decide to output content by server, not by your JavaScript file.

Something like this:

if ( is_user_logged_in() ) {
    if ( wp_verify_nonce($_REQUEST['X-WP-Nonce'], 'wp_rest') {
        // Nonce is correct!
    } else {
        // Don't send the data, it's a trap!
    }
}

As a side note, REST API offers its own method to fetch the passed queries. So, you can get it this way in your callback function:

function foobar( \WP_REST_Request $request ) {
    $nonce = $request['X-WP-Nonce'];
}

Related Posts:

  1. Can’t GET draft posts via REST API from headless frontend
  2. WP REST API – Nonce passes wp_verify_nonce even after logout
  3. Rest API: wp_verify_nonce() fails despite receiving correct nonce value
  4. Log in user using WordPress REST API
  5. wp_nonce vs jwt
  6. Register rest field authentication with REST API
  7. How to: Make JWT-authenticated requests to the WordPress API
  8. WordPress Rest API: How do we validate with our custom API key?
  9. WordPress REST API call generates nonce twice on every call
  10. How to Authenticate WP REST API with JWT Authentication using Fetch API
  11. authentication issue with rest api – rest_cannot_create
  12. Can I authenticate with both WooCommerce consumer key and JWT?
  13. How to login to WordPress site using basic authentication HTTP headers?
  14. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  15. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  16. Create Session with JWT
  17. Full page NGINX (or Cloudflare) caching and WordPress nonces
  18. WordPress REST API, Expired Nonce from Cache results in 403 forbidden
  19. Passing a borrowed nonce through Postman fails
  20. how to send Ajax request in wordpress backend
  21. permission_callback has no effect
  22. WP REST API GET Requests require authentication
  23. current_user_can(‘administrator’) returns false when I’m logged in
  24. Authenticating with REST API
  25. Make authorization mandatory on custom routes
  26. How to force JWT auth for default GET endpoints of WordPress rest api?
  27. REST API: best place to set current user for JWT auth?
  28. WordPress + REST API v2 and private pages Load by slug
  29. REST API authentication for a plugin
  30. PHP: authenticate for a REST request?
  31. Rest API basic auth not working
  32. Authenticate current user to REST API
  33. Getting 401 from ajax using an application password
  34. How to connect android app with WordPress website?
  35. WordPress REST API calls that depend on the WordPress User
  36. Backbone with custom rest endpoints
  37. WordPress HTTP API NTLM Authentication
  38. Advanced Access Manager: RESTful endpoint to refresh token
  39. Best Authetication between REST API and Mobile App
  40. How to verify which WordPress user requested the API in ASP .NET Core?
  41. Secure WordPress API, how?
  42. register/login api
  43. How can I secure my custom rest api endpoint or add under a already existing rest group
  44. REST API Integration without user account?
  45. WP REST API with Basic Auth at target website
  46. Cant POST with REST API on WordPress
  47. REST API – Authentication/Logon security
  48. Rest API nonce is being cached
  49. custom REST endpoints and application passwords
  50. wordpress rest api authentication failed
  51. How to add additional http header to a wp_error rest response
  52. Nonce validation in REST API
  53. Accessing an auth protected custom WP API enpoint from remote origin
  54. Is the WordPress REST API installed and enabled in a vanilla WordPress 4.7 installation?
  55. Does something like is_rest() exist
  56. How to use OAuth authentication with REST API via CURL commands?
  57. REST API purpose?
  58. Get post count in wp rest API v2 and get all categories
  59. WP REST API — How to change HTTP Response status code?
  60. wp_get_current_user() function not working in Rest API callback function
  61. How to use WP-REST API to login user and get user data for Android app?
  62. Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
  63. WP REST API Is it rather easy to rename the default wp-json uri part?
  64. Search WP API using the post title
  65. check the requesting url
  66. How would I add custom tables/endpoints to the WP REST API?
  67. WP REST API Require Password for GET Endpoint
  68. Displaying a page built with Elementor using the REST API [closed]
  69. Extend WordPress (4.x) session and nonce
  70. Getting user meta data from WP REST API
  71. Understanding SHORTINIT with WordPress 5
  72. How to use _embed when using _fields?
  73. WordPress REST API – Permission Callbacks
  74. WP REST API V2 – Retrieve sub page by full slug (URL/Path)
  75. WP REST API create post authentication issue
  76. How do I create a user using the new JSON api in 4.7?
  77. Verify nonce in REST API?
  78. Why is my custom API endpoint not working?
  79. WordPress REST API validation
  80. Are there server performance benefits to fetching only specific fields when querying the REST API?
  81. How to define a query parameter with REST API?
  82. Filter posts by multiple custom taxonomy terms using AND operator in REST API v2 (WordPress)
  83. WP REST API returns blank response if post is too long
  84. How do I correctly setup an AJAX nonce for WordPress REST API?
  85. how to authenticate for the REST API from a plugin and from command line
  86. How to check WordPress website username and password is correct
  87. Increase per_page limit in REST API
  88. Does pre_get_posts affect REST API responses?
  89. How to feed a HTML5’s EventSource with a REST API custom endpoint?
  90. How do I use the WP REST API plugin and the OAuth Server plugin to allow for registration and login?
  91. Adding WordPress API Endpoint With Multiple Parameters
  92. How to authenticate custom API endpoint in WooCommerce [closed]
  93. WordPress “Link has expired” error on updating posts
  94. Retrieve CSS and JS From the REST API
  95. Using the REST API (v2) javascript client on a private namespaced route
  96. WP REST API core major changes
  97. WordPress 4.7 REST API endpoints
  98. How to get all posts from parent and children categories?
  99. wordpress wp-json prefix issue
  100. How to build a plugin that supports authenticated POST requests to the REST API from external servers?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)