A nonce parameter alone won’t get authorisation.
The key is the permission callback which need to validate something and return true see https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/#permissions-callback
So assuming that you don’t have a high security need you could, via Curl POST a password and simply check the password POSTED matches in the permissions callback.
For more secure options you could use JSON Web Tokens, fortunately there is a plugin of course that has done the heavy lifting https://en-gb.wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
Thanks, Alan for the reply.
I tried adding the following condition for testing but it still shows the error.
function validate_api_request(){
if(current_user_can('manage_options')){
return true;
}else{
return false;
}
}
If I simply add return true in the function it works fine.
This is to be expected.
You are calling from curl, therefore there is no logged in user so current_user_can will always return false.
WordPress uses Cookies to check if a user is logged in. In theory you could try and send user browser cookies via curl, ( but I would suggest if that is your intention, i.e. the curl is part of a logged in WordPress experience i would suggest your architecture is wrong and you should be calling the Endpoint within WP, e.g. in a plugin or functions.php using wp_remote_post or better still using javascript.)
function validate_api_request($request){
if( // some condition to check the request that doesn't need the wordpress user as one is not logged in e.g. $request params password equals '123456' //)
{
return true;
} else {
return false;
}
}
-
This reply was modified 2 years, 7 months ago by
Alan Fuller.
Hi Alan,
Thanks for the details, May I know what’s the actual reason some wp functions work in the callback function and some don’t.? Like, I tried wp_verify_nonce but it didn’t worked but if I use get_option it works what’s the reason and logic behind?
What do you mean didn’t work, did you mean fatal errored or returned false?
I created the nonce on website and send it to the second website by using the URL where the rest API post script is written.
I was able to get the nonce value in the script on site B, I send the post request with nonce parameter in body of request and I was able to successfully get it. When I use wp_verify_nonce it returns false. No fatal error but just empty response.
Hi Alan,
I was able to fix this issue by matching the password but now I want to generate the HTML and append it to the HTML div on the WordPress website where the request has been sent.
I tried calling the function in the rest API callback function but do the changes on the remote website where the request is sending from.
I’m not 100% sure I’m following you but wp nonce is generated for a single site.
If you have two sites you need a mechanism to have a ‘password’ or ‘key’ that is generated on one site and recognized on the other.
As I said earlier a ‘low’ security option is to hard code a password on both sites e.g. ‘password123’ 🙂
Or you could create another Endpoint on site B that generates the key, stores it on site B and sends it to site A to display. This is nearly as insecure as hard code, but at least give the opportunity to randomize. You would also need to add some sort of time length of validity.
Or a higher security is to use private / public keys and JSON Web Tokens, comple, bit as I said fortunately there is a plugin of course that has done the heavy lifting https://en-gb.wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
