REST API – Limit core endpoints to Basic Auth

  • bnishi

    (@bobbynishi)


    9 years, 4 months ago

    Hi all,

    Working on developing a new service on a client’s website. One of their requirements is to close the REST API’s core endpoints from unauthorized outside services. In the REST API v2 plugin we had an option to use filter and whatnot to lock down endpoints. I don’t see that in the latest handbook.

    The new service is using JWT and OAuth 2. But the core REST API endpoints are open to any hungry spambot to crawl. We don’t really care if the core endpoints are in JWT or not. We just don’t want it open. Regardless what content is technically already exposed to the public or not.

    Can someone point me to the right documentation, please?

Viewing 3 replies - 1 through 3 (of 3 total)
  • gnoric

    (@gnoric)

    9 years, 4 months ago

    There is a plugin out there that does exactly this, including 4.7+:
    https://ww.wp.xz.cn/plugins/disable-json-api/

    ** As of WordPress 4.7, the filter provided for disabling the REST API has been removed. However, this plugin will now forcibly return an authentication error to any API requests from sources who are not logged into your website, which will effectively still prevent unauthorized requests from using the REST API to get information from your website **

    Is this a viable solution for you, or do you require further assistance?

    Thread Starter bnishi

    (@bobbynishi)

    9 years, 4 months ago

    Not quite. This doesn’t allow you to select roles/permission for which user can see the REST API scheme when logged in. So even “customer” and “subscribers” can see the JSON scheme.

    For other web services this client has, they lock down web services (other REST APIs from other stacks) by IP (server to server) and by basic auth (client to server) or with Oauth 2 (SPA client App to server). I need to keep this implementation as uniform to their ecosystem as possible, using best practices, regardless of stack.

    Also, exposing user information (“/wp-json/wp/v2/users”) by default on all WP websites through the REST API is a big no-no. A while back, there was an user exploit dictionary attack that started with pinging WordPress sites with the query ?author=1 or ?author=2, which are very often admins. Once the bots has a handful of low-id usernames to try against, they would hit the site a couple of dozen times a day for months. Often unnoticed, until they were in. Then via plugin or SQL injection, create a full admin user (if theirs wasn’t already). Finally they would add SEO malware to all the pages and create new views.

    I can look at what this plugin is doing and write something to match our requirements, but security and authentication levels for this core REST api has lots of room for improvement.

    Thread Starter bnishi

    (@bobbynishi)

    9 years, 4 months ago

    Looking at the plugin and core, I was able to find a filter I can use. These seem to work for my purposes:

    add_filter( 'rest_authentication_errors', array ( $this, 'authenticateServiceAccess') );

    or

    add_filter( 'rest_send_nocache_headers', array ( $this, 'authenticateServiceAccess') );

    • This reply was modified 9 years, 4 months ago by bnishi.
Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘REST API – Limit core endpoints to Basic Auth’ is closed to new replies.