diff --git a/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php b/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php index 03acb76..288c0da 100644 --- a/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php +++ b/tests/wp-includes/rest-api/auth/class-test-wp-rest-key-pair.php @@ -107,7 +107,11 @@ public function test_init() { * @covers ::get_rest_uri() */ public function test_get_rest_uri() { + $this->assertEquals( '/index.php?rest_route=/wp/v2/key-pair', WP_REST_Key_Pair::get_rest_uri() ); + + $this->set_permalink_structure( '/%postname%/' ); $this->assertEquals( '/wp-json/wp/v2/key-pair', WP_REST_Key_Pair::get_rest_uri() ); + $this->set_permalink_structure( '' ); } /** @@ -237,8 +241,12 @@ public function test_profile_update() { * @since 0.1 */ public function test_require_token() { - $this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/posts', 'POST' ) ); - $this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/posts', 'DELETE' ) ); + $this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/posts', 'POST' ) ); + $this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/posts', 'DELETE' ) ); + + $this->assertTrue( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'GET' ) ); + $this->assertFalse( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'POST' ) ); + $this->assertFalse( $this->key_pair->require_token( true, '/index.php?rest_route=/wp/v2/key-pair', 'DELETE' ) ); $this->assertTrue( $this->key_pair->require_token( true, '/wp-json/wp/v2/key-pair', 'GET' ) ); $this->assertFalse( $this->key_pair->require_token( true, '/wp-json/wp/v2/key-pair', 'POST' ) ); diff --git a/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php b/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php index 8700b07..365a2b5 100644 --- a/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php +++ b/tests/wp-includes/rest-api/auth/class-test-wp-rest-token.php @@ -76,7 +76,11 @@ public function test_init() { * @covers ::get_rest_uri() */ public function test_get_rest_uri() { + $this->assertEquals( '/index.php?rest_route=/wp/v2/token', WP_REST_Token::get_rest_uri() ); + + $this->set_permalink_structure( '/%postname%/' ); $this->assertEquals( '/wp-json/wp/v2/token', WP_REST_Token::get_rest_uri() ); + $this->set_permalink_structure( '' ); } /** @@ -344,9 +348,8 @@ public function test_authenticate_refresh_token() { * @since 0.1 */ public function test_require_token() { - $prefix = rest_get_url_prefix(); - $token_uri = sprintf( '/%s/wp/v2/token', $prefix ); - $posts_uri = sprintf( '/%s/wp/v2/posts', $prefix ); + $token_uri = WP_REST_Token::get_rest_uri(); + $posts_uri = sprintf( '/%s/wp/v2/posts', rest_get_url_prefix() ); $user_data = array( 'role' => 'administrator', 'user_login' => 'testuser', diff --git a/wp-admin/js/key-pair.js b/wp-admin/js/key-pair.js index 64058e7..4bb811d 100644 --- a/wp-admin/js/key-pair.js +++ b/wp-admin/js/key-pair.js @@ -93,7 +93,7 @@ $( document ).on( 'click', '.key-pair-token', function( e ) { var $parent = $( e.target ).closest( '.new-key-pair' ), - $input = $( 'input[name=new_token_api_secret]' ), + $input = $( 'input[name="new_token_api_secret"]' ), apiKey = $parent.data( 'api_key' ), apiSecret = $input.val(), name = $parent.data( 'name' ); diff --git a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php index d0c4058..df47258 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-key-pair.php +++ b/wp-includes/rest-api/auth/class-wp-rest-key-pair.php @@ -73,7 +73,14 @@ public function init() { * @static */ public static function get_rest_uri() { - return sprintf( '/%s/%s/%s', rest_get_url_prefix(), self::_NAMESPACE_, self::_REST_BASE_ ); + $blog_id = get_current_blog_id(); + $prefix = 'index.php?rest_route='; + + if ( is_multisite() && get_blog_option( $blog_id, 'permalink_structure' ) || get_option( 'permalink_structure' ) ) { + $prefix = rest_get_url_prefix(); + } + + return sprintf( '/%s/%s/%s', $prefix, self::_NAMESPACE_, self::_REST_BASE_ ); } /** @@ -292,7 +299,7 @@ public function profile_update( $user_id ) { public function require_token( $require_token, $request_uri, $request_method ) { // Don't require token authentication to manage key-pairs. - if ( ( 'POST' === $request_method || 'DELETE' === $request_method ) && false !== strpos( $request_uri, self::get_rest_uri() ) ) { + if ( ( 'POST' === $request_method || 'DELETE' === $request_method ) && strpos( $request_uri, sprintf( '/%s/%s', self::_NAMESPACE_, self::_REST_BASE_ ) ) ) { $require_token = false; } @@ -781,10 +788,10 @@ public function template_key_pair_row() { {{ data.last_ip }} - + - + diff --git a/wp-includes/rest-api/auth/class-wp-rest-token.php b/wp-includes/rest-api/auth/class-wp-rest-token.php index 951ce69..4b67d02 100644 --- a/wp-includes/rest-api/auth/class-wp-rest-token.php +++ b/wp-includes/rest-api/auth/class-wp-rest-token.php @@ -79,7 +79,14 @@ public function init() { * @static */ public static function get_rest_uri() { - return sprintf( '/%s/%s/%s', rest_get_url_prefix(), self::_NAMESPACE_, self::_REST_BASE_ ); + $blog_id = get_current_blog_id(); + $prefix = 'index.php?rest_route='; + + if ( is_multisite() && get_blog_option( $blog_id, 'permalink_structure' ) || get_option( 'permalink_structure' ) ) { + $prefix = rest_get_url_prefix(); + } + + return sprintf( '/%s/%s/%s', $prefix, self::_NAMESPACE_, self::_REST_BASE_ ); } /** @@ -359,9 +366,8 @@ public function authenticate_refresh_token( $user, WP_REST_Request $request ) { */ public function require_token() { $require_token = true; - $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : false; // phpcs:ignore - $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? $_SERVER['REQUEST_METHOD'] : false; // phpcs:ignore - $rest_uri = self::get_rest_uri(); + $request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( $_SERVER['REQUEST_URI'] ) : false; + $request_method = isset( $_SERVER['REQUEST_METHOD'] ) ? sanitize_text_field( $_SERVER['REQUEST_METHOD'] ) : false; // User is already authenticated. $user = wp_get_current_user(); @@ -370,7 +376,7 @@ public function require_token() { } // Only check REST API requests. - if ( ! strpos( $request_uri, rest_get_url_prefix() ) ) { + if ( ! strpos( $request_uri, rest_get_url_prefix() ) && ! strpos( $request_uri, '?rest_route=' ) ) { $require_token = false; } @@ -386,7 +392,7 @@ public function require_token() { } // Don't require authentication to generate a token. - if ( 'POST' === $request_method && $rest_uri === $request_uri ) { + if ( 'POST' === $request_method && strpos( $request_uri, sprintf( '/%s/%s', self::_NAMESPACE_, self::_REST_BASE_ ) ) ) { $require_token = false; }