Wordpress - WP REST API Require Password for GET Endpoint

When we register a rest route with register_rest_route(), then we can use the permission_callback parameter with the kind of permission we want.

Check for example how WP_REST_Posts_Controller::register_routes() and WP_REST_Users_Controller::register_routes() implement the permission callback.

The password argument you're referring to is the content's password, that you can set for each post and that's not the same.

But since you want to target existing routes, like:

/wp/v2/cards
/wp/v2/cards/(?P<id>[\d]+)
/wp/v2/cards/...possibly some other patterns...

you could try e.g. the rest_dispatch_request filter to setup your additional permission check for those kind of routes.

Here's a demo plugin:

add_filter( 'rest_dispatch_request', function( $dispatch_result, $request, $route, $hndlr )
{
    $target_base = '/wp/v2/cards';    // Edit to your needs

    $pattern1 = untrailingslashit( $target_base ); // e.g. /wp/v2/cards
    $pattern2 = trailingslashit( $target_base );   // e.g. /wp/v2/cards/

    // Target only /wp/v2/cards and /wp/v2/cards/*
    if( $pattern1 !== $route && $pattern2 !== substr( $route, 0, strlen( $pattern2 ) ) )
        return $dispatch_result;

    // Additional permission check
    if( is_user_logged_in() )  // or e.g. current_user_can( 'manage_options' )
        return $dispatch_result;

    // Target GET method
    if( WP_REST_Server::READABLE !== $request->get_method() ) 
        return $dispatch_result;

    return new \WP_Error( 
        'rest_forbidden', 
        esc_html__( 'Sorry, you are not allowed to do that.', 'wpse' ), 
        [ 'status' => 403 ] 
    );

}, 10, 4 );

where we target the /wp/v2/cards and /wp/v2/cards/* GET routes, with additional user permission checks.

When debugging it with the WordPress cookie authentication, we can e.g. test it directly with:

https://example.tld/wp-json/wp/v2/cards?_wpnonce=9467a0bf9c

where the nonce part has been generated from wp_create_nonce( 'wp_rest' );

Hope this helps!


The "password" field you are seeing is actually not for the REST API, but for the Post entry itself. Individual posts in WordPress can be password protected such that you need the password in order to see their content.

This form of individual post-password is not a strong password mechanism, it is a shared password. The password is the same for all users, and it is stored in the database unencrypted and unhashed. It is was never intended as a secure mechanism by any means, it is a simple mechanism to hide content in a simple way.

If you want to use this mechanism with the REST API, then it is possible. For example, if the individual post's ID is 123, then a post can be retrieved like so:

http://example.com/wp-json/wp/v2/posts/123

If that post is password protected, then this URL will retrieve it:

http://example.com/wp-json/wp/v2/posts/123?password=example-pass

Reference: https://developer.wordpress.org/rest-api/reference/posts/#retrieve-a-post

If you need stronger, user-based authentication, then WordPress offers a way to make posts "private" instead. This setting makes posts only visible to user accounts that have the "read_private_posts" capability, which is limited to the Administrator and Editor roles by default. (Note: Private only makes the post contents private, their Titles can still be exposed.)

When you make a custom post type, this same capability is mapped to the plural of your type (using plural_base). So for a post type of cards, there would be a similar "read_private_cards" permission available for you to assign to user roles if desired.

Now, Authentication on a user-level is not actually built into the REST API. The standard WordPress cookie based auth works fine, however the API offers no way to get that cookie. It will accept it if it is present, but you have to do the normal login flow to get such a cookie. If you want some other authentication approach, then you need a plugin for it.

Four such plugins exist. These are OAuth 1.0, Application Passwords, JSON Web Tokens, and a Basic Authentication plugin. Note that the Basic Authentication is easiest, however it is also insecure and thus only recommended for testing and development purposes. It should not be used on a live production server.

You can find more information about these plugins here:

https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/#authentication-plugins

Tags:

Rest Api

Related

Wordpress - How do I create a user using the new JSON api in 4.7? Wordpress - WordPress localhost site redirect to live site Wordpress - Add multiple value to a query variable in WordPress Wordpress - Sorting search results by taxonomy terms Wordpress - How can I batch delete all unattached images with WP-CLI or other automated process? Wordpress - How can I uninstall a language? Wordpress - Cannot deregister a script using wp_deregister_script Wordpress - Loading external page template and enqueue script from plugin causes 403 forbidden error Wordpress - MU domain mapping login issue Wordpress - Uncaught Error: Call to undefined function wp_generate_attachment_metadata() @ wp-cron Wordpress - How to influence the information displayed on widget inside wp-admin Wordpress - why ignore_sticky_posts in sticky post query

Recent Posts