search

WP-API / jwt-auth

Enable JSON Web Token authentication for the WordPress REST API.
GNU General Public License v2.0
105 stars 25 forks source link

Allow GET requests to use tokens, if provided #5

Closed jkmassel closed 5 years ago

jkmassel commented 5 years ago

Some GET requests need to use tokens. Consider the following request:

GET /wp-json/wp/v2/posts?post_status=draft

Before: It'll return an error saying Invalid parameter(s): status

After It'll correctly return any draft posts

This PR addresses this by treating the presence of a valid Bearer token as an indication that the request should proceed as a logged-in user. If an invalid Bearer token is passed, the request proceeds as if it weren't present. This may be incorrect behaviour – we may wish to always treat the presence of a token, valid or not, as an indication that it's required.

ocean90 commented 5 years ago

I think a token should be always verified if provided. If the token is invalid the API should bail no matter what the request method was. An example would be a request for GET /wp-json/wp/v2/users/me.

jkmassel commented 5 years ago

Sounds good – I'll update this PR to reflect that behaviour.

jkmassel commented 5 years ago

@ocean90 – this has been updated per your suggestion.