As you are already using JSON API and know the purpose of get_nonce core method, get_nonce does exactly that for registering new user. If you want to add another layer for authentication, how your users are supposed to get those tokens?
BTW, this is for RESTful API user registration which is usually used for mobile apps. Also, the API url is not public and only your own app will be accessing it. you can also secure the API url by user/pass on apache .htaccess file.
Thread Starter
Jon
(@wpscuser)
Thanks Ali, maybe I misunderstand, but from what I’ve tested there is a potential security risk.
I am calling the API from a mobile app, but the API doesn’t know or care what called it. The API url is a standard format, so can be guessed, just replacing the website name. The user.register api won’t work without a valid nonce, but the get_nonce api can be called without validation. So, if I give you my website address for example, you will be able to create users and login etc.
I think I may need to modify core.php to add in a key which is specific to my implementation, that the get_nonce checks before issuing the nonce. I can code that into my app to submit it as a parameter on the get_nonce request.
The same is true for create_post process which starts with get_nonce.
Sorry if I misunderstand, but I’m building a service which needs to be secure and I think this might be a problem. I’m using JSON-API because its by far the best plugin available for JSON with wordpress and speeds up development time significantly. So I want to stick with it.
Thanks for your help.
yes, you can make it secure on server side at apache .htaccess level, apart from hard to guess url of api rather than using standard /api/.
BTW, in couple of days, I m going to release an update with some new methods in this plugin especially the fb_connect() method for getting user registered or logged in using the valid access_token and soem other for buddypress xprofile fields.
Hi, I also use Json Api User extensively and would like to secure it in the .htaccess file. I’m new to APIs and was wondering if you could explain exactly how to edit the file and then send requests with the new information?
This would be super helpful in making my app more secure. Thanks!
Easy solution: I’d say just get the pro version http://www.parorrey.com/solutions/json-api-user-plus/, every call is secured with api key.
Alternatively, you can rename the /api/ to /some-hard-to-guess-url/
I’d not recommend htaccess rules, they might mess your whole permalink structure.
Awesome! Thanks for the super fast reply. The plugin is the most important on my site. I will be purchasing the pro version later today. Thanks for all your awesome work.
