WordPress and JWT with custom API Rest Endpoint

Question

I need to provide a plugin for WordPress that will have few custom API endpoints, and I have installed these two plugins

• WordPress REST API V2
• JWT-Auth

I have created custom endpoint:

add_action('rest_api_init', function ($data) {
    register_rest_route('mladi-info/v1', '/user/favorites', [
        'methods' => 'GET',
        'callback' => 'mi_get_favorite_posts'
    ]);
});

I need to protect this endpoint so that only those requests that has JWT token sent (generated with /wp-json/jwt-auth/v1/token endpoint sending username and password) can be processed, otherwise it should return 401 status codes. How do I do that?

Answer 1

You should add permission_callback parameter when registering a new route.

    add_action('rest_api_init', function ($data) {
        register_rest_route('mladi-info/v1', '/user/favorites', 
            array(
                'methods' => 'GET',
                'callback' => 'mi_get_favorite_posts',
                'permission_callback' => function ($request) {
                        if (current_user_can('edit_others_posts'))
                        return true;
                 }
             )
        );
    });

JWT Auth plugin will supply user object to permission_callback function, based on the token value from the header, and all you need to do is to work out some "permission logic" inside that function, which will return a bool value.

In the solution that I posted, callback allows access to REST endpoint only if the user that accessed it, has 'edit_others_posts' capability - which is the case for administrators and editors.