Add a filter to disable the application password authentication

Question

Add a filter to disable the application password authentication

kasparsd opened this issue 4 years ago · comments

Kaspars Dambis commented 4 years ago

See https://wordpress.org/support/topic/limit-application-to-specific-rest-endpoints/

Dewey Bushaw · Answer 1 · Wed Mar 04 2020 09:23:37 GMT+0800 (China Standard Time)

Any word on this, is there a way we can manually check for this on our custom endpoints?

George Stephanis · Answer 2 · Wed Oct 07 2020 04:02:12 GMT+0800 (China Standard Time)

Just worth noting that on the core proposal, the wp_is_application_passwords_available filter is available -- it isn't itself specific to endpoints, as the authentication mechanism can also work with xmlrpc requests and is more agnostic than specific to a specific api implementation, but an earlier action could check the path and disable it if desired.

David Purdy · Answer 3 · Tue Dec 29 2020 06:04:15 GMT+0800 (China Standard Time)

Here's what I came up with to bypass application passwords on a specific endpoint to allow for custom authentication.

function bypass_application_passwords_for_webhook ($available) {

  // if we can't get the current request URL, return default
  global $wp;
  if ( ! is_object ($wp) || empty ($wp->request)) {
    return $available;
  }

  // the path of the current request
  $current_path = trim ($wp->request, '/');

  // the webhook path (which we want to bypass application passwords)
  $webhook_url = \rest_url (REST_NAMESPACE . REST_ROUTE);
  $webhook_path = trim (parse_url ($webhook_url, PHP_URL_PATH), '/');
  
  // if the current path is the webhook path, bypass application password authentication 
  if ($current_path == $webhook_path) {
    return false;
  }
  
  return $available;
}
add_filter ('wp_is_application_passwords_available', 'bypass_application_passwords_for_webhook');