Support » Plugin: WP REST Cache » Support for WordPress REST API Authentication

  • Resolved divv

    (@divv)


    Hi, great plugin!

    My only issue is that authentication does not work for cached pages/posts. I’m using WP REST API Authentication plugin (https://wordpress.org/plugins/wp-rest-api-authentication/). Basically, if a page/post is NOT cached authorization works fine, if the page/post IS cached it gets delivered even though no authorization header is set.

    I understand that this is somewhat out of your control but it would be so nice if these two plugins could work together. I guess that the mechanism which verifies the Bearer token has to be added to the function which retrieves the cached pages/posts just as it does on a “normal request”.

    As of now one has to choose one or the either of these plugins, fast retrieval or secure retrieval of data 😀

    Or is there any other solution?

    (I will post this on WordPress REST API Authentication support as well)

    Kind regards
    David

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Richard Korthuis

    (@rockfire)

    Hi @divv

    Thank you for using our plugin and sorry for the late response. It took some time to dig into this.

    For now I have a quick-fix for you, while we add this to our to-do list to see how we can better support this kind of authentication. The quick-fix involves you editing the mu-plugin that was installed by the WP REST Cache plugin, so I hope you are comfortable doing that?

    Go to /wp-content/mu-plugins/wp-rest-cache.php and add the following lines directly after line 24 (so after the line if ( is_plugin_active( 'wp-rest-cache/wp-rest-cache.php' ) ) { ):

    	if ( is_plugin_active( 'wp-rest-api-authentication/miniorange-api-authentication.php' ) ) {
    		include_once ABSPATH . '/wp-settings.php';
    		wp_cookie_constants();
    		include_once ABSPATH . WPINC . '/pluggable.php';
    		include_once WP_PLUGIN_DIR . '/wp-rest-api-authentication/admin/class-miniorange-api-authentication-admin.php';
    		$mo = new \Miniorange_API_Authentication_Admin( 'miniorange-api-authentication', '1.0.0' );
    
    		$mo->mo_api_auth_initialize_api_flow();
    	}

    Please let us know if it works for you!

    Plugin Author Richard Korthuis

    (@rockfire)

    N.B. I also did see the solution posted by miniOrange in this topic you opened for their plugin. Although it might solve the problem of showing the endpoints unauthenticated, it also disables caching for those endpoints.

    My development halted here so I eventually reached for another solution regarding authentication, so I will still be using your plugin!

    Since I’m using another API on my backend I decided to proxy all requests to WP through that other API which itself has JWT authentication.

    Then I just block any incoming requests from outside to /wp-json. My other API can reach this location through Basic auth which is safe enough since the calls are all done internally.

    This is how I done for Apache if someone else is interested. Not the best solution but it will do for now.

    <Location "/wp-json">
        AuthType Basic
        AuthName "Restricted Access"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Location>

    Oh, forgot to mention that you will need this as well

    https://github.com/WP-API/Basic-Auth

    Plugin Author Richard Korthuis

    (@rockfire)

    Hi @divv

    Thank you for your feedback, this might help other people searching through this topic 🙂

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.