search

10up / restricted-site-access

Limit access to visitors who are logged in or allowed by IP addresses. Includes many options for handling blocked visitors.
http://10up.com/plugins/restricted-site-access-wordpress/
GNU General Public License v2.0
228 stars 48 forks source link

With Restricted Site Access active, the GraphQL api is not available. #304

Closed stefa98 closed 2 weeks ago

stefa98 commented 6 months ago

Describe the bug

With Restricted Site Access active, the GraphQL api is not available. I ask if possible to include compatibility with WPGraphQL and not to block access to said Api

Steps to Reproduce

Install WPGraphQL Instal Restricted Site Access Use GraphQL

Screenshots, screen recording, code snippet

No response

Environment information

No response

WordPress information

No response

Code of Conduct

jeffpaul commented 6 months ago

@stefa98 for authorized/authenticated uses through Restricted Site Access, are they blocked from WPGraphQL functionality?

stefa98 commented 6 months ago

@jeffpaul I haven't tested, but public access to the WPGraphQL endpoint is blocked with the plugin active

stefa98 commented 4 months ago

??

Sidsector9 commented 1 month ago

@stefa98 is it possible for you to pass custom HTTP headers with the graphQL request?

If yes, then you can pass a header with your request like:

X-RSA-GRAPHQL-HEADER with some secret value such as some_secret_value.

An example request with cURL:

curl --location 'http://osp.mylocal/graphql' \
--header 'X-RSA-GRAPHQL-HEADER: some_secret_value' \
--form 'query="{
    generalSettings {
        url
        title
    }
}
"'

Then on the server side, you can use the following filter to allow access for graphQL requests:

add_filter( 'restricted_site_access_is_restricted', function ( $is_restricted ) {
    // Custom trusted headers; array key should be the header name and value should be the header value.
    $allowed_custom_trusted_headers = array(
        'HTTP_X_RSA_GRAPHQL_HEADER' => 'some_secret_value' // Replace header and value with your custom details.
    );

    // Ensure trusted headers exist in request.
    if ( ! array_intersect_key( $_SERVER, $allowed_custom_trusted_headers ) ) {
        return $is_restricted;
    }

    // Ensure all the trusted headers have the correct value.
    foreach ( $allowed_custom_trusted_headers as $header => $value ) {
        if ( $value !== $_SERVER[ $header ] ) { // phpcs:ignore

            // Return true to apply ip restriction.
            return true;
        }
    }

    // Return false to bypass ip restriction.
    return false;
} );
Sidsector9 commented 2 weeks ago

We're closing this issue since we haven't heard from you in a while. Feel free to reopen if needed.