I need to provide a plugin for WordPress that will have few custom API endpoints, and I have installed these two plugins
I have created custom endpoint:
add_action('rest_api_init', function ($data) {
register_rest_route('mladi-info/v1', '/user/favorites', [
'methods' => 'GET',
'callback' => 'mi_get_favorite_posts'
]);
});
I need to protect this endpoint so that only those requests that has JWT token sent (generated with /wp-json/jwt-auth/v1/token endpoint sending username and password) can be processed, otherwise it should return 401 status codes. How do I do that?
You should add permission_callback parameter when registering a new route.
add_action('rest_api_init', function ($data) {
register_rest_route('mladi-info/v1', '/user/favorites',
array(
'methods' => 'GET',
'callback' => 'mi_get_favorite_posts',
'permission_callback' => function ($request) {
if (current_user_can('edit_others_posts'))
return true;
}
)
);
});
JWT Auth plugin will supply user object to permission_callback function, based on the token value from the header, and all you need to do is to work out some "permission logic" inside that function, which will return a bool value.
In the solution that I posted, callback allows access to REST endpoint only if the user that accessed it, has 'edit_others_posts' capability - which is the case for administrators and editors.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With