How we can verify "Cancel the header auth" the "endpoint" functions of WordPress with an API key that we produce. (Note: not a different endpoint, original endpoints)

I have my own "Crypto" class/function. In the request, I need to send an encrypted key, "decrypt" the "encrypted key" from "wp-function" and so on, and allow the request.

I need to be able to do all of this on wordpress own endpoint libraries.

A simple example of my query structure:

$.ajax({
  type: "POST",
  url: "http://localhost/workspace/wordpress/wp-json/wp/v2/posts?request=<?php echo $encrypted; ?>",
  dataType: "json"
});

PHP

<?php echo $encrypted; ?>
<?php // "z0/8Q6cuMWBlZGzfTwOVi9HwCpKThN9Ju/o/MywK74vimB467vjGfKqoDVQdyKIdmXCxxE=" ?>

functions.php or e.g. php page: After Decrypt

<?php echo $decrypted; ?>
<?php // "Secret Password" ?>
<?php // I will verify my key, and to let

How we can verify "Cancel the header auth" the "endpoint" functions of WordPress with an API key that we produce. (Note: not a different endpoint, original endpoints)

I have my own "Crypto" class/function. In the request, I need to send an encrypted key, "decrypt" the "encrypted key" from "wp-function" and so on, and allow the request.

I need to be able to do all of this on wordpress own endpoint libraries.

A simple example of my query structure:

$.ajax({
  type: "POST",
  url: "http://localhost/workspace/wordpress/wp-json/wp/v2/posts?request=<?php echo $encrypted; ?>",
  dataType: "json"
});

PHP

<?php echo $encrypted; ?>
<?php // "z0/8Q6cuMWBlZGzfTwOVi9HwCpKThN9Ju/o/MywK74vimB467vjGfKqoDVQdyKIdmXCxxE=" ?>

functions.php or e.g. php page: After Decrypt

<?php echo $decrypted; ?>
<?php // "Secret Password" ?>
<?php // I will verify my key, and to let

• rest-api
• json
• authentication
• wp-api

Share Improve this question edited Jun 9, 2019 at 3:12 shea 5,66244 gold badges3939 silver badges6262 bronze badges asked May 31, 2019 at 7:50 BilwoBilwo 7511 silver badge44 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 5

function checkApiAuth( $result ){

    $yourEncryptAPIKey = $_GET['request'];

    if( yourDecryptFn( $yourEncryptAPIKey ) === $realKey ):
        $result = true;

    else:
        $result = false;

    endif;

    return $result;           
}
add_filter('rest_authentication_errors', 'checkApiAuth');

Sounds like you can use the rest_authentication_errors filter:

This is used to pass a WP_Error from an authentication method back to the API.

[...] If the authentication method hooked in is not actually being attempted, null should be returned [...]. Similarly, callbacks should ensure the value is null before checking for errors.

A WP_Error instance can be returned if an error occurs [...]. A callback can return true to indicate that the authentication method was used, and it succeeded.

For a code example, you can look how WP implemented their custom check for the X-WP-Nonce header in wp-includes/rest-api.php starting at line 807.

(The function rest_cookie_check_errors is added to the rest_authentication_errors filter with priority 100.)