Merge pull request #12 from WP-API/auth-fix

Allow for both plain and pretty permalink structures

tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php

@@ -107,7 +107,11 @@ public function test_init() {
 	 * @covers ::get_rest_uri()
 	 */
 	public function test_get_rest_uri() {
+		$this->assertEquals( '/index.php?rest_route=/wp/v2/key-pair', WP_REST_Key_Pair::get_rest_uri() );
+
+		$this->set_permalink_structure( '/%postname%/' );
 		$this->assertEquals( '/wp-json/wp/v2/key-pair', WP_REST_Key_Pair::get_rest_uri() );
+		$this->set_permalink_structure( '' );
 	}
 
 	/**
@@ -237,8 +241,12 @@ public function test_profile_update() {
 	 * @since 0.1
 	 */
 	public function test_require_token() {
-		$this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/posts', 'POST' ) );
-		$this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/posts', 'DELETE' ) );
+		$this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/posts', 'POST' ) );
+		$this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/posts', 'DELETE' ) );
+
+		$this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'GET' ) );
+		$this->assertFalse( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'POST' ) );
+		$this->assertFalse( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'DELETE' ) );
 
 		$this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/key-pair', 'GET' ) );
 		$this->assertFalse( $this->key_pair->require_token( true, '/wp-json/wp/v2/key-pair', 'POST' ) );

tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php

@@ -76,7 +76,11 @@ public function test_init() {
 	 * @covers ::get_rest_uri()
 	 */
 	public function test_get_rest_uri() {
+		$this->assertEquals( '/index.php?rest_route=/wp/v2/token', WP_REST_Token::get_rest_uri() );
+
+		$this->set_permalink_structure( '/%postname%/' );
 		$this->assertEquals( '/wp-json/wp/v2/token', WP_REST_Token::get_rest_uri() );
+		$this->set_permalink_structure( '' );
 	}
 
 	/**
@@ -344,9 +348,8 @@ public function test_authenticate_refresh_token() {
 	 * @since 0.1
 	 */
 	public function test_require_token() {
-		$prefix    = rest_get_url_prefix();
-		$token_uri = sprintf( '/%s/wp/v2/token', $prefix );
-		$posts_uri = sprintf( '/%s/wp/v2/posts', $prefix );
+		$token_uri = WP_REST_Token::get_rest_uri();
+		$posts_uri = sprintf( '/%s/wp/v2/posts', rest_get_url_prefix() );
 		$user_data = array(
 			'role'       => 'administrator',
 			'user_login' => 'testuser',

wp-admin/js/key-pair.js

@@ -93,7 +93,7 @@
 
 	$( document ).on( 'click', '.key-pair-token', function( e ) {
 		var $parent  = $( e.target ).closest( '.new-key-pair' ),
-			$input    = $( 'input[name=new_token_api_secret]' ),
+			$input    = $( 'input[name="new_token_api_secret"]' ),
 			apiKey    = $parent.data( 'api_key' ),
 			apiSecret = $input.val(),
 			name      = $parent.data( 'name' );

wp-includes/rest-api/auth/class-wp-rest-key-pair.php

@@ -73,7 +73,14 @@ public function init() {
 	 * @static
 	 */
 	public static function get_rest_uri() {
-		return sprintf( '/%s/%s/%s', rest_get_url_prefix(), self::_NAMESPACE_, self::_REST_BASE_ );
+		$blog_id = get_current_blog_id();
+		$prefix  = 'index.php?rest_route=';
+
+		if ( is_multisite() && get_blog_option( $blog_id, 'permalink_structure' ) || get_option( 'permalink_structure' ) ) {
+			$prefix = rest_get_url_prefix();
+		}
+
+		return sprintf( '/%s/%s/%s', $prefix, self::_NAMESPACE_, self::_REST_BASE_ );
 	}
 
 	/**
@@ -292,7 +299,7 @@ public function profile_update( $user_id ) {
 	public function require_token( $require_token, $request_uri, $request_method ) {
 
 		// Don't require token authentication to manage key-pairs.
-		if ( ( 'POST' === $request_method || 'DELETE' === $request_method ) && false !== strpos( $request_uri, self::get_rest_uri() ) ) {
+		if ( ( 'POST' === $request_method || 'DELETE' === $request_method ) && strpos( $request_uri, sprintf( '/%s/%s', self::_NAMESPACE_, self::_REST_BASE_ ) ) ) {
 			$require_token = false;
 		}
 
@@ -781,10 +788,10 @@ public function template_key_pair_row() {
 					{{ data.last_ip }}
 				</td>
 				<td class="token column-token" data-colname="<?php esc_attr_e( 'Token', 'jwt-auth' ); ?>">
-					<input type="submit" name="token-key-pair-{{ data.api_key }}" class="button" id=="token-key-pair-{{ data.api_key }}" value="<?php esc_attr_e( 'New Token', 'jwt-auth' ); ?>">
+					<input type="submit" name="token-key-pair-{{ data.api_key }}" class="button" id="token-key-pair-{{ data.api_key }}" value="<?php esc_attr_e( 'New Token', 'jwt-auth' ); ?>">
 				</td>
 				<td class="revoke column-revoke" data-colname="<?php esc_attr_e( 'Revoke', 'jwt-auth' ); ?>">
-					<input type="submit" name="revoke-key-pair" class="button delete" id=="revoke-key-pair-{{ data.api_key }}" value="<?php esc_attr_e( 'Revoke', 'jwt-auth' ); ?>">
+					<input type="submit" name="revoke-key-pair" class="button delete" id="revoke-key-pair-{{ data.api_key }}" value="<?php esc_attr_e( 'Revoke', 'jwt-auth' ); ?>">
 				</td>
 			</tr>
 		</script>

wp-includes/rest-api/auth/class-wp-rest-token.php

@@ -79,7 +79,14 @@ public function init() {
 	 * @static
 	 */
 	public static function get_rest_uri() {
-		return sprintf( '/%s/%s/%s', rest_get_url_prefix(), self::_NAMESPACE_, self::_REST_BASE_ );
+		$blog_id = get_current_blog_id();
+		$prefix  = 'index.php?rest_route=';
+
+		if ( is_multisite() && get_blog_option( $blog_id, 'permalink_structure' ) || get_option( 'permalink_structure' ) ) {
+			$prefix = rest_get_url_prefix();
+		}
+
+		return sprintf( '/%s/%s/%s', $prefix, self::_NAMESPACE_, self::_REST_BASE_ );
 	}
 
 	/**
@@ -359,9 +366,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) {
 	 */
 	public function require_token() {
 		$require_token  = true;
-		$request_uri    = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : false; // phpcs:ignore
-		$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : false; // phpcs:ignore
-		$rest_uri       = self::get_rest_uri();
+		$request_uri    = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false;
+		$request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false;
 
 		// User is already authenticated.
 		$user = wp_get_current_user();
@@ -370,7 +376,7 @@ public function require_token() {
 		}
 
 		// Only check REST API requests.
-		if ( ! strpos( $request_uri, rest_get_url_prefix() ) ) {
+		if ( ! strpos( $request_uri, rest_get_url_prefix() ) && ! strpos( $request_uri, '?rest_route=' ) ) {
 			$require_token = false;
 		}
 
@@ -386,7 +392,7 @@ public function require_token() {
 		}
 
 		// Don't require authentication to generate a token.
-		if ( 'POST' === $request_method && $rest_uri === $request_uri ) {
+		if ( 'POST' === $request_method && strpos( $request_uri, sprintf( '/%s/%s', self::_NAMESPACE_, self::_REST_BASE_ ) ) ) {
 			$require_token = false;
 		}