Force Oauth1 on all WP REST API Requests

  • Resolved rickera

    (@rickera)


    8 years, 5 months ago

    Hello, I had a very general question about the WordPress REST API. I have seen that it accepts three types of authentication ( basic, nonce, oauth ). Is there a way to only allow oauth-authenticated requests to pass through? Thanks in advance.

    • This topic was modified 8 years, 5 months ago by rickera.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    I believe so. I’m not really up to speed with WP REST, but it’s my understanding all requests have certain authorization headers set that are unique to each authorization type. So you need a way to check for the OAuth specific headers when a request comes in. If they are not present, a different authorization method is being used.

    I think the place to do this check is by hooking the ‘rest_authentication_errors’ filter. Your callback should first check if a WP_Error object is passed. If it is, just return the error object, the authorization has already failed. If there’s no error, you can then call apache_request_headers() to check if the OAuth headers are present. If not, create a new WP_Error object to return, failing the authorization. Otherwise return whatever value was passed, which at this point will be either true or null. True means some sort of authorization has succeeded already, null means some sort of authorization still needs to be checked. Since you found the proper OAuth headers, either value works for your needs.

    Thread Starter rickera

    (@rickera)

    Thanks for your reply! That is a really good point. I didn’t have access to the correct headers from apache_request_headers() in the ‘rest_authentication_errors’ hook, but they were checkable in the ‘rest_pre_dispatch’ hook. Thanks so much as it really helped my train of thought!

    Cheers

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Force Oauth1 on all WP REST API Requests’ is closed to new replies.