-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for Basic Auth not being passed through with PHP in CGI mode #32
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,3 +32,63 @@ $args = array( | |
|
||
[oauth]: https://github.com/WP-API/OAuth1 | ||
[RFC2617]: https://tools.ietf.org/html/rfc2617 | ||
|
||
--- | ||
|
||
## Forcing all API requests to require authorisation | ||
|
||
A few notes on making this work on servers with php-cgi. | ||
|
||
### .htaccess | ||
If you're using php-cgi you'll need to tweak the .htaccess file slightly. (more info about the issue: https://github.com/LearningLocker/learninglocker/issues/131) | ||
|
||
Change the Wordpress block in .htaccess in the root folder to: | ||
|
||
``` | ||
# BEGIN WordPress | ||
<IfModule mod_rewrite.c> | ||
RewriteEngine On | ||
RewriteBase / | ||
RewriteRule ^index\.php$ - [L] | ||
RewriteCond %{REQUEST_FILENAME} !-f | ||
RewriteCond %{REQUEST_FILENAME} !-d | ||
RewriteRule . /index.php [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] | ||
</IfModule> | ||
|
||
# END WordPress | ||
``` | ||
|
||
Then you'll want to stop Wordpress from overwriting this if you save permalinks. | ||
|
||
Add this to your functions.php file: (You'll still be able to update your permalinks don't worry...) | ||
|
||
``` | ||
// Stop WordPress from modifying .htaccess permalink rules | ||
add_filter('flush_rewrite_rules_hard','__return_false'); | ||
``` | ||
|
||
### Check for authorisation | ||
|
||
Now we're able to get the right headers when running php-cgi, add this to your functions.php file: | ||
|
||
What we're doing here is returning the result if they are logging in, or returning an error if they are not logged in. | ||
|
||
``` | ||
// Check user is logged in before returning API results | ||
add_filter('rest_pre_dispatch', function ($result) { | ||
|
||
global $DI; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure what this is for? |
||
|
||
if (is_user_logged_in()) { | ||
return $result; | ||
} else { | ||
return [ | ||
'error_code' => 'rest_requires_authentication', | ||
'message' => 'Using REST requires authentication.', | ||
'status' => '403' | ||
]; | ||
} | ||
}); | ||
|
||
|
||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,18 @@ function json_basic_auth_handler( $user ) { | |
return $user; | ||
} | ||
|
||
if ( !isset( $_SERVER['PHP_AUTH_USER'] ) && ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) || isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) ) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know this file plugin doesn't always use spaces after a |
||
if ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) { | ||
$header = $_SERVER['HTTP_AUTHORIZATION']; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What do you think about naming this variable |
||
} else { | ||
$header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; | ||
} | ||
|
||
if ( !empty( $header ) ) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's check that it's a basic access auth here:
|
||
list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', base64_decode(substr( $header, 6 ) ) ); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it should be |
||
} | ||
} | ||
|
||
// Check that we're trying to authenticate | ||
if ( !isset( $_SERVER['PHP_AUTH_USER'] ) ) { | ||
return $user; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this part is necessary in the context of this plugin.