Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure all rest api endpoints #6

Closed
shotor opened this issue Aug 2, 2021 · 6 comments
Closed

Secure all rest api endpoints #6

shotor opened this issue Aug 2, 2021 · 6 comments
Labels
feature-request New feature or request

Comments

@shotor
Copy link

shotor commented Aug 2, 2021
edited
Loading

Is there a way to secure all public rest api endpoints?

I'd like to secure the pages endpoint (and any other page) so it's only accessible with an api key. But if I make a request without JWT it just goes through.

I couldn't find a way to change this in the settings
@melomontoya
Copy link

Or is there a way to validate the token tru PHP? I would like to validate the token on some endpoints.

@nicumicle
Copy link
Owner

nicumicle commented Aug 29, 2021
edited
Loading

Have you tried the "Force login" (https://wordpress.org/plugins/wp-force-login/) plugin?

@melomontoya
Copy link

Hi, "Force login" plugin doesn't fit 'cause it checks for "if( ! is_user_logged_in())" which doesn't work with JWT or nothing compatible with our APP. Is there a proper/safe way to make the "whitelist" work. We have tried the "1 file plugin" and "function.php" but it doesn't work.
Thanks

@melomontoya
Copy link

Ok, after some digging we figured it out. Seems like the problem was the "array_merge" between both arrays. We changed it fot a foreach loop that "pushes" each endpoint and now it works. Oh, btw, it is also a one file plugin 'cause it wouldn't work on the functions.php

This is the final code

`/////////////////////////////////////////
//////// JWT WHITELIST para endpoints sin verificacion
/////////////////////////////////////////

if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}

/----------------------------------------------------------------------------/
/**

  • JWT whitelist
    */

add_filter(
'jwt_auth_whitelist',
function ( $endpoints ) {
$whitelists = array(
'/wp-json/MYENDPOINT/v1/home',
'/wp-json/MYENDPOINT/v1/stripewebhook'
);

	foreach ( $whitelists as $whitelist ) {
		if ( ! in_array( $whitelist, $endpoints, true ) ) {
			array_push( $endpoints, $whitelist );
		}
	}

	return $endpoints;
}

);

?>
`

@kristjanmar
Copy link

I'm interested in this as well. What did you do to restrict the endpoints before adding the whitelist code?

@nicumicle
Copy link
Owner

Hello @shotor @melomontoya @kristjanmar,

The tag 3.4.0 has this functionality. You can not secure all rest endpoints or only specific endpoints with a JWT.
Also, when you secure all endpoints, you can set a specific list that can be whitelisted.

Please let me know what do you think.

Best regards,
Nicu.

@nicumicle nicumicle added the feature-request New feature or request label Dec 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shotor @melomontoya @nicumicle @kristjanmar