SSL and admin scheme issues

[johnbillion]

Scenario: a site where the admin area is served over SSL (via FORCE_SSL_ADMIN) and the front end is served over HTTP.

The intent of this, of course, is to prevent credentials being sent in plain text over HTTP.

WP-API uses home_url() rather than site_url() to build its endpoint URL. This means in the scenario above, the endpoint URL shown in RSD uses HTTP rather than HTTPS. When I go to use the API and I'm submitting my user credentials, they're being sent as plain text over HTTP! Oh noes!

The solution is for WP-API to use site_url() (and probably rpc as the $scheme parameter) rather than using home_url() in get_json_url(). This does mean, however, that if a site's WordPress installation is in a subdirectory then this will show up in the endpoint URL too (eg. example.com/wordpress/wp-json).

You'll note that the XML-RPC endpoints listed at example.com/xmlrpc.php?rsd all use site_url() rather than home_url(). WP-API is currently the odd one out here.

Thoughts?

Marginally related core ticket: #28424

[danielbachhuber]

Maybe WP-API needs api_route() which gets special treatment in core.

Edit: Came cross json_url(), which is what I was thinking of.

[rmccue]

You'll note that the XML-RPC endpoints listed at example.com/xmlrpc.php?rsd all use site_url() rather than home_url(). WP-API is currently the odd one out here.

Previously: bc646f2 and https://gsoc.trac.wordpress.org/ticket/375

The reason XML-RPC uses site_url() is because they're actual accessible files, whereas WP-API is handled via rewrites. The issue, IMO, is that we can't ensure SSL is available on home_url() just because it is on site_url().

Tricky issue. Thanks for looking through this @johnbillion; it's been on my todo list (I've been watching the core movements too).

[johnbillion]

rmccue and I briefly discussed this just now. A couple of notes:

• Switching to site_url() for the JSON endpoint is a no-go because we can't guarantee we can do rewrites under this URL.
• Forcing SSL on the JSON endpoint is a no-go because home_url() could use a different domain to site_url(), and the former may not be available over SSL.
• We could ping https://example.com/wp-json upon activation and set a flag if it's accessible in order to use it for the endpoint (Ryan's suggestion).

[kadamwhite]

Does this mean that there is no way to force SSL in all cases, or just when the main site doesn't use SSL? I'm tasked with setting up our application to communicate with WP exclusively over SSL, so hopefully the latter...

[johnbillion]

Just the latter. This is for a site where the admin area is served over SSL (via FORCE_SSL_ADMIN) and the front end is served over HTTP.

[piotrd]

@johnbillion, we have exactly the same issue (trying to force endpoint use SSL). Any updates on how you worked around it?

[johnbillion]

Yeah you can do it with WordPress' set_url_scheme() function:

add_filter( 'json_url', function( $url ) {
    return set_url_scheme( $url, 'https' );
} );

[piotrd]

Thanks, @johnbillion. I added the above code, and can see https in urls.

Unfortunately, I keep getting 404 when calling https://my_wp_instance/wp-json/. I'm not sure if it is even this plugin's fault, but I'll keep digging. Or maybe you have any hints on that?

[rmccue]

Unfortunately, I keep getting 404 when calling https://my_wp_instance/wp-json/. I'm not sure if it is even this plugin's fault, but I'll keep digging. Or maybe you have any hints on that?

That certainly shouldn't be the plugin's fault, as we're not doing any special handling for that.

[hubdotcom]

Could this be done using the following filter? Or adding the SSL check in get_json_url()?

add_filter( 'json_url', function( $url ) {
    if ( force_ssl_admin() ){
        return set_url_scheme( $url, 'https' );
    } else {
        return $url;
    }
} );

[johnbillion]

See my second point here: #259 (comment)

HTTPS can't be forced on the home URL because it can be a different domain to the admin area and may not be available over HTTPS.

[hubdotcom]

A conundrum indeed. If FORCE_SSL_ADMIN cannot be used as this applies to the site url then perhaps a new flag is needed that is relevant to the home url and therefore the JSON endpoint?

Example
The constant FORCE_SSL_JSON can be set to true to force all json authentication and sessions to happen over SSL.

define('FORCE_SSL_JSON', true);