Open nylen opened 7 years ago
I'm currently working on correcting this. However, I'm not sure what other way to authenticate via jQuery is possible.
WooCommerce does it differently with Consumer Key and Consumer Secret. Does WordPress do the same?
Have a read through https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/ and let us know if there is anything else you think should be included there.
Passing an Authorization
header of the user's choosing will allow authentication with several other methods. For example:
https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
Authorization: Bearer mF_s9.B5f-4.1JqM
https://wordpress.org/plugins/oauth2-provider/ (no example given, but similar concept)
Thank you for sharing. I will look into all of that.
Here are a few concepts on how to identify the different types of authentication that I have in mind.
Token keys shown are not real. They are just placed there to give you an idea on what needs to go there.
var new_post = restjQuery({
authorization: {
authorized_method: "basic",
username: "user01",
password: "demo02"
}
nonce: "853339a701",
endpoint: "posts",
formMethod: "POST",
postData: data
});
var new_post = restjQuery({
authorization: {
authorized_method: "wpoauth2.0",
token: {
access_token: "12345"
},
},
endpoint: "posts",
formMethod: "POST",
postData: data
});
An good example for using this is for WooCommerce.
var new_product = restjQuery({
authorization: {
authorized_method: "consumer",
token: {
consumerKey: "12345",
consumerSecret: "335723"
},
},
nonce: "853339a701",
endpoint: "products",
formMethod: "POST",
postData: data
});
The use of authentication would be for backend applications. If you would like to give this issue a shot for Hactoberfest then please do.
I have provided examples above for different methods of authentication including links to various authentication plugins for the REST API.
When pushing your request please give clear instructions on what is needed in order for the authentication to for the method you have supported so that it can be explained in the documentaiton.
Thank you and happy hacking.
It's not clear from the documentation or the parameter name what this is. It should be called
nonce
, with a link to the WP documentation page on nonces, and it should be documented why you would need to pass it, and what value it should have (it's only needed for clients that exist withinwp-admin
and are not using some other authentication method).Contrary to the documentation, these parameters (and the nonce as well) are always sent, regardless of whether they are specified or not. I would expect this to cause errors with e.g. the Application Passwords plugin - these headers should only be sent if values are specified .
Also, the API supports lots of other authentication methods than basic auth username/password, and we don't really recommend basic auth as it's pretty insecure in several ways (sent unencrypted over HTTP; may send actual user passwords depending on implementation). You might want to consider allowing the client to set the
Authorization
header directly, for this reason.Note that authentication gets complicated quickly: specifying a custom header still isn't enough to allow authenticating via OAuth1, which requires request signing.