Moderator
t-p
(@t-p)
@t-p Thanks for the suggestion but I don’t want to disable the REST API as my web app is actually using it
Use the ‘rest_authentication_errors’ filter to check a nonce or some sort of token sent by your app. Return null to pass the request on to the normal authentication if required. Return a WP_Error object to reject the request. AFAIK this filter is used even for requests not requiring authentication. Untested for your situation, but it looks promising.
@bcworkz How can I generate a nonce from the front-end using React and will the WP REST API recognize that nonce?
You could hash some data that is known to both apps. Timestamps should be included, but you don’t want to get too granular with that if clocks cannot be synched. WP uses wp_create_nonce() and wp_verify_nonce(). Look at the source for ideas. WP sends the nonce out with the initial form to be spit back in the submit. If that works for your process you can use native WP functions. The WP version is not a true nonce because it can be used multiple times in a time period. True nonces become invalid once they are used. In general, the use of nonces in WP do not require a rigorous true nonce. If one needs that level of security, they need to develop their own nonce system.
WP REST does not recognize nonces itself, you build the check into your authentication errors filter callback. Nonces were the obvious example that came to mind in my last post. Depending on your needs, it may be overkill. For example, you might choose to merely restrict by user or role capability.
