Force authentication for GET posts (and others) commands

Yep, you can do with a filter like this:

add_filter( 'rest_pre_dispatch', function( $result ){
	if ( is_user_logged_in() ) {
		return $result;
	} else {
		return new WP_Error( 'rest_requires_authentication', __( 'Using REST requires authentication.' ), array( 'status' => 403 ) );
	}
});

Hi Daniel,

Thx for the quick support!

I’m going through the documentation to find out how and where the filter-script needs to be.
Can you tell me where it needs to go or maybe direct me to the documentation that handles this sort of actions.

Thx!
Mario

I’m going through the documentation to find out how and where the filter-script needs to be.

You’ll want to put it in your theme’s functions.php or similar.

Can you tell me where it needs to go or maybe direct me to the documentation that handles this sort of actions.

Documentation is work in progress.

The filter prevents access to:
domain.tld/wp-json/posts/

But if I try putting post ids behind the url I still can get to the posts, e.g.:
domain.tld/wp-json/posts/78/

If the number doesn’t show an article it will even tell you. So you can keep trying numbers until you get the full posts.

Also the main API Interface is still showing under:
domain.tld/wp-json/

The problem is that the posts show the full username. I hide the real usernames everywhere, also in RSS, to prevent brute force attacks. I would prefer to show the API only for authenticated users, but as a first step I would really like to hide the username.

Hi Devcri,

Do you mean that when you go to domain.tld/wp-json/posts/
you see an error message or other?

Is the filter from Daniel correct or did you change something?

I had given up on this because I have had no success at all on all three WP-applications I have running (All the same template!)
I tried to figure it out but I don’t see the problem.

Grts,
Mario

Hi,

As mentioned already I can’t get it to work that ALL GET calls are only allowed for authenticated users.

I know this is my fault…I must be overlooking something!

Having said that I can’t understand why such an option is not standard available surtenly when WP-REST-API will become part of the core. That would mean that at “next” update of WP all WP-applications with protected data will become open for the public.

I just can’t understand why spending time on authentication security when it seems that a fool like me can’t get it’s data protected from non-authenticated visitors.

To me it seems that this is so basic that it should be dummy(that’s me) proof!

Grts,
Mario

@mariofrombelgium:
The filter from Daniel worked as described, when I wrote my reply here. But now it doesn’t have any effect anymore. I now get the posts when trying: domain.tld/wp-json/posts/

I also would like to protect the whole API as I just want to access it from an App. Exposing usernames seems like a bad idea to me.

Hi Devcri,

Not sure how I should feel. At one side I was happy that it doesn’t work for you either. I was starting to doubt myself because I can’t get it to work.

On the other side this shows there must be something wrong with what should be a basic functionality!

I’m hoping for Daniel Bachhuber to come back with some comments and if possible a durable solution.

In any case I have activated “disable-Json” plugin on my live server just in case the next update of the core installs WP-REST_API.

Regards,
Mario

I think the filter name has changed: rest_pre_dispatch -> json_pre_dispatch

Hi TheTyro,

Thx for your support! However it doesn’t seem to work in my case.
Does it work for you?

I have added one line to the core (NOT DONE I KNOW) of the api. Until next update I’m save.

I’m still blown away that such a fundamental functionality seems to be an (unsolvable) issue! (You could start wondering why!)

Don’t hesitate to post any other brilliant idea. Much appreciated!!

Regards,
Mario

Hi,

Just installed version 2 of Rest Api.
Seems to work fine….except I still don’t find an easy way to prevent data-transfer without authentication.

I really really need help on this!

Regards,
Mario

same here

Any solution?
I think like MarioFromBelgium and I haven′t found any solution.

Hi,

Although I haven’t tested this 100% through but I have the impression this works like a charm. https://gist.github.com/danielbachhuber/8f92af4c6a8db784771c

Succes!
Mario