REST API request between domain and subdomain

hsyiy907
(@hsyiy907)

1 year, 4 months ago
There are 2 sites example.com and sub.example.com. Both sites are on WordPress. The site sub.example.com has a personal account for users; the site example.com does not have an account. Data between sites is synchronized during any operations with credentials, including when logging into your account. There is a task to find out on the site example.com that the user is currently authorized on the site sub.example.com. I’m making a request via a custom REST API route, but wordpress returns 0 in response to wp_get_current_user(). As I understand it, you need to authorize the request. For authorization, I currently see this solution:
1. Make cookies available to example.com:
define('COOKIE_DOMAIN', '.example.com'); define('COOKIEPATH', '/');
1. On the site sub.example.com we place the code (not the best way) to issue a nonce code:
add_action('init', function() { if (isset($_GET['secret_token']) && $_GET['secret_token'] === 'sdfus8689yhj3hlwiuhey98wyewhuiehiw8932y') { echo wp_create_nonce( 'wp_rest' ); exit; } }
1. On example.com we request the nonce code in this way:
$cookies = $_COOKIE; $response = wp_remote_get('https://sub.example.com/?secret_token=ksdfus8689yhj3hlwiuhey98wyewhuiehiw8932y', array( 'cookies' => $cookies, ));

And with the received nonce code we are already successfully executing the request.
I understand that this scheme is not very beautiful, but how safe is this scheme? Or is there a better solution?

Let me clarify right away that even with synchronization enabled, when logging into an account on sub.example.com, the user remains unauthorized on the example.com website.

This case is used but doesn’t work, user is not logged in example.com
https://wordpress.stackexchange.com/questions/130753/how-to-share-cookies-and-sessions-between-domain-and-subdomain

Viewing 2 replies - 1 through 2 (of 2 total)

Thread Starter hsyiy907
(@hsyiy907)

1 year, 4 months ago

But in this case, access to your personal account on example.com is opened, which is not what you would like. Is there any way to disable the personal account page?

Moderator bcworkz
(@bcworkz)

1 year, 4 months ago

Be sure a subdomain profile request is not redirected to root domain. After all it’s really the same profile page regardless of which sub-site the user belongs to. Assuming there’s no redirect, you could use the “admin_init” action hook to check who is requesting the profile page and if it’s not the right user, they could be redirected back to their subdomain; or the request could simply wp_die() since they’re ostensibly in the wrong place.

Cookie authentication is flawed when subdomains are involved. The two sub-sites are seen as a cross domain request and cookies are normally not sent to another domain. While there are ways around this, the process remains flawed. Your other API authentication choices are oAuth, JWT, and application passwords.

I personally like application passwords, but depending on usage, each user may need their own app password. These are typically manually assigned, but I’m pretty sure the process can be automated during registration. If the API data being fetched is not dependent on the current user, a single, all encompassing app password could be used.

JWT is also a reasonable choice IMO. I’m not too keen on oAuth only because it’s rather complicated.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘REST API request between domain and subdomain’ is closed to new replies.

REST API request between domain and subdomain

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics