Woocommerce Question posted in
The official Woocommerce documentation can be found here.

Woocommerce – WooCoommerce custom endpoint – Enable auth protection

I have defined the following custom endpoint for woocommerce:

add_action( 'rest_api_init', 'custom_endpoint' );

function custom_endpoint() {
    register_rest_route( 'wc/v3', 'my_custom_endpoint', array(
        'methods' => 'GET',
        'callback' => 'return_value',
    ) );
}

function return_value() {
    return "this is my custom endpoint!";
}

However, this endpoint is also accessible if I’m not authenticated using the ck and cs.

How can I protect it the same way all other, default endpoints of the WooCommerce API are protected? (I would prefer not needing another auth plugin for this to work, but to access it with the standard WooCommerce auth keys instead).

Thanks!

Tags:

2

Answers


  1. 0

    Hello use permission_callback with JWT Authentication for WP REST API plugin so it will work fine.

    Steps :

    1) Install JWT Authentication for WP REST API plugin
    2) Set permission_callback

    Below code will work well after JWT Authentication for WP REST API plugin installation

    add_action('rest_api_init', 'custom_endpoint');
function custom_endpoint(){
  register_rest_route('wc/v3', 'my_custom_endpoint', array(
    'methods' => 'GET',
    'callback' => 'return_value',
    'permission_callback' => function($request){      
      return is_user_logged_in();
    }
  ));
}

function return_value(){
    return "this is my custom endpoint!";
}

    for more information please check JWT Authentication for WP REST API documentation.

    Checked and works well.

    Login or Signup to reply.
  2. 0

    Cookie authentication is the standard authentication method included with WordPress. When you log in to your dashboard, this sets up the cookies correctly for you, so plugin and theme developers need only to have a logged-in user.

    As an example, this is how the built-in Javascript client creates the nonce:

    <?php
wp_localize_script( 'wp-api', 'wpApiSettings', array(
    'root' => esc_url_raw( rest_url() ),
    'nonce' => wp_create_nonce( 'wp_rest' )
) );

    This is then used in the base model:

    options.beforeSend = function(xhr) {
    xhr.setRequestHeader('X-WP-Nonce', wpApiSettings.nonce);

    if (beforeSend) {
        return beforeSend.apply(this, arguments);
    }
};

    Here is an example of editing the title of a post, using jQuery AJAX:

    $.ajax( {
    url: wpApiSettings.root + 'wp/v2/posts/1',
    method: 'POST',
    beforeSend: function ( xhr ) {
        xhr.setRequestHeader( 'X-WP-Nonce', wpApiSettings.nonce );
    },
    data:{
        'title' : 'Hello Moon'
    }
} ).done( function ( response ) {
    console.log( response );
} );

    Note that you do not need to verify that the nonce is valid inside your custom end point. This is automatically done for you in
    rest_cookie_check_errors()

    Woocommerce API

    https://woocommerce.github.io/woocommerce-rest-api-docs/?php#authentication-over-https

    While cookie authentication is the only authentication mechanism
    available natively within WordPress, plugins may be added to support
    alternative modes of authentication that will work from remote
    applications.

    As Per Official Document : https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/#authentication-plugins

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search