I am not sure about the technical term for what I am looking. However, I have done this in Laravel using middleware. I am trying to achieve same in WordPress RESTApi.
I am planning to make a site as a service using WordaPress rest api. That I will use for cross platform. Since anyone can access WordPress api it is too dangerous.
I want to block it for public and only who pass the access token (not JWT or oAuth) I wan to allow only them to access API. This how I can limit the access.
So if I make android app and pass the access token, it will have access but anyone who want to make app from my api they want be able to.
I hope I have explained it properly to understand. You can see my middleware code that might help to explain more.
use wordpress jwt plugin that adds authentication for wordpress api https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
Related
I would like to program a Rest API to be used by a wordpress plugin. The Rest API should only work if the wordpress user also has certain rights. I would like to know how I can protect the Rest API so that it is not used without permission and only works when a Wordpress user is logged in with permission. What is the best way to implement this conceptually? Do you have any ideas?
Thanks.
I don't know what are Wordpress plugin capabilities from an authentication perspective but usually REST APIs do respect HTTP standards so the same authentication schemes (Basic, OAuth, ApiKey, etc...). It also depends on where would the REST API run such as remote server...
I'm building a Next.js site with headless Wordpress and will use the REST api or maybe the graphQL alternative. My question is if authorization with a JWT token is necessary for just fetching public posts?
I have tried it and it seems to make requests very slow plus creates overhead in terms of storing into a cookie etc.
In the Next.js wordpress-cms example they only use authorization optionally to be able to get unpublished posts.
So in a nutshell: do I need to implement authorization with a JWT token for every request to make my site secure or is this not necessary when building a next.js site with headless wordpress?
You don't need to implement any kind of authorization to serve public content. You may need authorization to serve private content and/or to publish data just like a normal WordPress Setup. Compared to REST, GraphQL provides lighter and cleaner data it might be a better solution for an Headless WP most of the time..
After searching form wordpress documentation and google, i haven't find any proper way to achieve my goal : able to login to wordpress from custom third party application built with nodeJs.
The steps is check if couple username / password is administrator and process tasks on my external app.
Anyone has already used the REST API of wordpress to auth user? WITHOUT INSTALLING ANY PLUGIN , i just want to get response from server if my couple username/ password is true and is administrator, i know i can asks the database to check but i want to pass throught the built-in wp rest api.
Thank you.
The simple answer is no, and here is why
While cookie authentication is the only authentication mechanism
available natively within WordPress, plugins may be added to support
alternative modes of authentication that will work from remote
applications. Some example plugins are OAuth 1.0a Server, Application
Passwords, and JSON Web Tokens.
Source: Wordpress Official Handbook
However there is a painful and insecure way of doing it with plain HTTP authentication which is not recommended.
Recommended way of doing this securely is to get WordPress JWT or oAuth Server extension and deal with standard authentication process which is more convenient and secure, WordPress already lists them which are referenced in the quote. Hope this helps!
I'm so confused about how to get authentication between an external, consumer website and a Laravel API right. What I'd like is to have a web app for which users are able to present information from the app to other people, using an external website that consumes the app's API. Here's an example of the basic setup in a bit more detail:
A Laravel 5.3 app that has a protected API endpoint api/status. Only authenticated users should be able to hit api/status, and the status returned is a particular status for the authenticated user.
An external website that consumes the Laravel API on behalf of a user, let's call her Alice. The necessary information is stored in the backend of Alice's website so that it can authenticate with the API on behalf of Alice. (The actual implementation I'm working on will be a WordPress site, and the API consumption will be done by a WordPress plugin that I am implementing; so any info stored will likely be stored in the WordPress database.)
The website has a /status page that displays Alice's status to anyone who browses to the page. (Ie, when the /status page is browsed to, an API call to the app is made on behalf of Alice. The returned status is specific to Alice, and is displayed to the person browsing the page.) People browsing to /status on Alice's website do NOT need to do any sort of authenticating to view the status on the page.
That is very simplified compared to my actual goal, but I hope it serves to keep the extraneous details to a minimum so we can focus on my actual question, which is what method of authentication should I use to achieve this?
One thing I DON'T want:
The person browsing Alice's website should NOT be able to use their browser's inspector to watch the API call and from that create further API calls on Alice's behalf on their own.
I have Passport installed on my Laravel App, but if I'm understanding things correctly I don't want to use the basic Access Token issuing workflow, as that would require the people browsing to Alice's website to authenticate using the Alices's credentials. For the same reason, I don't think I want an Implicit Grant Token.
Using a Password Grant Token would require storing Alice's password for the Laravel app on her website. Is it ok to store passwords like this in a WordPress database? It makes me nervous...
The other option available through Passport is to have Alice create a Personal Access Token and store that in her website backend as the token to use to authenticate. But the Laravel documentation seems to imply that Personal Access Tokens are meant for testing and development purposes, which makes me wary of going this route for a production plugin. Plus, doesn't using a PAT make it possible to do the thing I DON'T want above, since the PAT is simply passed in the request header? Or is that problem mitigated by the fact that the API interaction would be done over SSL?
Do I even need to go through Passport to achieve what I want here? Is there a better way?
I've been reading myself in circles trying to understand what the best practice for this kind of setup is. I'm sorry if this question isn't focused enough, but if anyone has any good advice, or can clarify things for me I would much appreciate it!
what I need to achieve is the following but am quite stuck on the correct way to go about this:
From WordPress, specifically in the admin console I need to authenticate with an external website in a secure manner
Store a token of some sort (oauth2?)
Make authenticated call form my plugin to the 3rd party rest api
What would be the best way and a couple of methods to:
Authenticate, retrieve store a token from wordpress admin (preferably Oauth2)
send this token to the external site with every api call?
Apologies on the vague nature but any direction will really help!!!