generated from alleyinteractive/create-wordpress-plugin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathreadme.txt
147 lines (104 loc) · 5.06 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
=== REST API Guard ===
Stable tag: 1.3.2
Requires at least: 6.0
Tested up to: 6.3
Requires PHP: 8.0
License: GPL v2 or later
Tags: alleyinteractive, rest-api-guard
Contributors: sean212
Restrict and control access to the REST API.
## Installation
You can install the package via composer:
composer require alleyinteractive/wp-rest-api-guard
## Usage
The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.
Out of the box the plugin can:
- Disable anonymous access to the REST API.
- Restrict and control anonymous access to the REST API by namespace, path, etc.
### Settings Page
The plugin can be configured via the Settings page (`Settings -> REST API Guard`) or via the relevant filter.
### Preventing Access to User Information (`wp/v2/users`)
By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin's settings or via code:
add_filter( 'rest_api_guard_allow_user_access', fn () => true );
### Preventing Access to Index (`/`) or Namespace Endpoints (`wp/v2`)
To prevent anonymous users from browsing your site and discovering what plugins/post types are setup, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:
// Allow index access.
add_filter( 'rest_api_guard_allow_index_access', fn () => true );
// Allow namespace access.
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );
### Restrict Anonymous Access to the REST API
The plugin can restrict anonymous access for any request to the REST API in the plugin's settings or via code:
add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );
### Limit Anonymous Access to Specific Namespaces/Routes (Allowlist)
Anonymous users can be granted access only to specific namespaces/routes. Requests outside of these paths will be denied. This can be configured in the plugin's settings or via code:
add_filter(
'rest_api_guard_anonymous_requests_allowlist',
function ( array $paths, WP_REST_Request $request ): array {
// Allow other paths not included here will be denied.
$paths[] = 'wp/v2/post';
$paths[] = 'custom-namespace/v1/public/*';
return $paths;
},
10,
2
);
### Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)
Anonymous users can be restricted from specific namespaces/routes. This acts as
a denylist for specific paths that an anonymous user cannot access. The paths
support regular expressions for matching. The use of the allowlist takes
priority over this denylist. This can be configured in the plugin's settings or
via code:
add_filter(
'rest_api_guard_anonymous_requests_denylist',
function ( array $paths, WP_REST_Request $request ): array {
$paths[] = 'wp/v2/user';
$paths[] = 'custom-namespace/v1/private/*';
return $paths;
},
10,
2
);
### Require JSON Web Token (JWT) Authentication
Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
access the REST API. Users should pass an `Authorization: Bearer <token>` header
with their request. This can be configured in the plugin's settings or via code:
add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
Out of the box, the plugin will look for a JWT in the `Authorization: Bearer
<token>` header. The JWT will be expected to have an audience of
'wordpress-rest-api' and issuer of the site's URL. This can be configured in the
plugin's settings or via code:
add_filter(
'rest_api_guard_jwt_audience',
function ( string $audience ): string {
return 'custom-audience';
}
);
add_filter(
'rest_api_guard_jwt_issuer',
function ( string $issuer ): string {
return 'https://example.com';
}
);
The JWT's secret will be autogenerated and stored in the database in the
`rest_api_guard_jwt_secret` option. The secret can also be changed via code:
add_filter(
'rest_api_guard_jwt_secret',
function ( string $secret ): string {
return 'my-custom-secret';
}
);
### Allow JWT Authentication for Authenticated Users
Authenticated users can be authenticated with the REST API via a JSON Web Token.
Similar to the anonymous JWT authentication, users should pass an
`Authorization: Bearer <token>` header with their request. This can be
configured in the plugin's settings or via code:
add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
### Generating JWTs for Anonymous and Authenticated Users
JWTs can be generated by calling the
`wp rest-api-guard generate-jwt [--user=<user_id>]` command or using the
`Alley\WP\REST_API_Guard\generate_jwt()` method:
$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
expiration: 3600, // Optional. The expiration time in seconds from now.
user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
);