Add a filter to disable the application password authentication

[kasparsd]

See https://wordpress.org/support/topic/limit-application-to-specific-rest-endpoints/

[styledev]

Any word on this, is there a way we can manually check for this on our custom endpoints?

[georgestephanis]

Just worth noting that on the core proposal, the wp_is_application_passwords_available filter is available -- it isn't itself specific to endpoints, as the authentication mechanism can also work with xmlrpc requests and is more agnostic than specific to a specific api implementation, but an earlier action could check the path and disable it if desired.

[davidmpurdy]

Here's what I came up with to bypass application passwords on a specific endpoint to allow for custom authentication.

function bypass_application_passwords_for_webhook ($available) {

  // if we can't get the current request URL, return default
  global $wp;
  if ( ! is_object ($wp) || empty ($wp->request)) {
    return $available;
  }

  // the path of the current request
  $current_path = trim ($wp->request, '/');

  // the webhook path (which we want to bypass application passwords)
  $webhook_url = \rest_url (REST_NAMESPACE . REST_ROUTE);
  $webhook_path = trim (parse_url ($webhook_url, PHP_URL_PATH), '/');
  
  // if the current path is the webhook path, bypass application password authentication 
  if ($current_path == $webhook_path) {
    return false;
  }
  
  return $available;
}
add_filter ('wp_is_application_passwords_available', 'bypass_application_passwords_for_webhook');