Skip to content

Commit

Permalink
Merge pull request #21 from alleyinteractive/hotfix/user-endpoint
Browse files Browse the repository at this point in the history
Do not check OPTIONS requests by default
  • Loading branch information
srtfisher authored Feb 28, 2024
2 parents c8436b3 + e9051f2 commit b037f7b
Show file tree
Hide file tree
Showing 6 changed files with 77 additions and 10 deletions.
5 changes: 3 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@

All notable changes to `wp-rest-guard` will be documented in this file.

## v1.2.1 - 2024-02-26
## v1.3.0 - 2024-02-27

- Allow the claims to be added to added to a generated JWT via filter.
- Allow the claims to be added to a generated JWT via filter.
- Don't check `OPTIONS` requests by default.

## v1.2.0 - 2024-02-22

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# REST API Guard

Stable tag: 1.2.1
Stable tag: 1.3.0

Requires at least: 6.0

Expand Down
26 changes: 20 additions & 6 deletions plugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
* Plugin Name: REST API Guard
* Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard
* Description: Restrict and control access to the REST API
* Version: 1.2.0
* Version: 1.3.0
* Author: Sean Fisher
* Author URI: https://alley.co/
* Author URI: https://alley.com/
* Requires at least: 6.0
* Tested up to: 6.3
*
Expand Down Expand Up @@ -59,6 +59,18 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
$settings = [];
}

/**
* Filters whether the REST API Guard should check OPTIONS requests.
*
* This is useful for CORS preflight requests.
*
* @param bool $check Whether to check OPTIONS requests. Default false.
* @param \WP_REST_Request $request REST API Request.
*/
if ( 'OPTIONS' === $request->get_method() && ! apply_filters( 'rest_api_guard_check_options_requests', $settings['check_options_requests'] ?? false, $request ) ) {
return false;
}

if ( class_exists( JWT::class ) ) {
/**
* Check if the anonymous request requires a JSON Web Token (JWT).
Expand Down Expand Up @@ -149,9 +161,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
/**
* Prevent access to the root of the REST API.
*
* @param bool $prevent Whether to prevent anonymous access, default false.
* @param bool $prevent Whether to allow anonymous access to the REST API index. Default false.
* @param string $endpoint The endpoint of the request.
*/
if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false ) ) {
if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false, $endpoint ) ) {
return true;
}

Expand All @@ -171,9 +184,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
/**
* Prevent access to the /wp/v2/users endpoints by default.
*
* @param bool $pre Whether to prevent access to the /wp/v2/users endpoints.
* @param bool $pre Whether to allow access to the /wp/v2/users endpoints.
* @param string $endpoint The endpoint of the request.
*/
if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false ) ) {
if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false, $endpoint ) ) {
return true;
}

Expand Down
2 changes: 1 addition & 1 deletion readme.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
=== REST API Guard ===
Stable tag: 1.2.1
Stable tag: 1.3.0
Requires at least: 6.0
Tested up to: 6.3
Requires PHP: 8.0
Expand Down
16 changes: 16 additions & 0 deletions settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,21 @@ function on_admin_init() {
],
);

add_settings_field(
'check_options_requests',
__( 'Apply checks to OPTIONS requests', 'rest-api-guard' ),
__NAMESPACE__ . '\render_field',
SETTINGS_KEY,
SETTINGS_KEY,
[
'description' => __( 'Apply the same checks to OPTIONS requests as other requests.', 'rest-api-guard' ),
'additional' => __( 'By default, the plugin will not apply any checks to OPTIONS requests. This setting will force the plugin to apply the same checks to OPTIONS requests as other requests. For CORS requests, this may need to be disabled to allow authentication with a JWT.', 'rest-api-guard' ),
'filter' => 'rest_api_guard_check_options_requests',
'id' => 'check_options_requests',
'type' => 'checkbox',
],
);

add_settings_field(
'anonymous_requests_allowlist',
__( 'Anonymous Request Allowlist', 'rest-api-guard' ),
Expand Down Expand Up @@ -232,6 +247,7 @@ function sanitize_settings( $input ) {
'allow_index_access' => ! empty( $input['allow_index_access'] ),
'allow_namespace_access' => ! empty( $input['allow_namespace_access'] ),
'allow_user_access' => ! empty( $input['allow_user_access'] ),
'check_options_requests' => ! empty( $input['check_options_requests'] ),
'anonymous_requests_allowlist' => ! empty( $input['anonymous_requests_allowlist'] ) ? sanitize_textarea_field( $input['anonymous_requests_allowlist'] ) : '',
'anonymous_requests_denylist' => ! empty( $input['anonymous_requests_denylist'] ) ? sanitize_textarea_field( $input['anonymous_requests_denylist'] ) : '',
'authentication_jwt' => ! empty( $input['authentication_jwt'] ),
Expand Down
36 changes: 36 additions & 0 deletions tests/RestApiGuardTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,42 @@ public function test_prevent_anonymous_access_settings() {
$this->get( rest_url( '/wp/v2/tags' ) )->assertUnauthorized();
}

public function test_check_options_requests() {
$this->expectApplied( 'rest_api_guard_check_options_requests' )->times( 3 );

// Check the default settings.
update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
]
);

$this->options( rest_url( '/wp/v2/categories' ) )->assertOk();
$this->get( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();

update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
'check_options_requests' => true,
]
);

$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();

update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
]
);

add_filter( 'rest_api_guard_check_options_requests', fn () => true );

$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();
}

public function test_prevent_access_allowlist_code() {
$this->get( rest_url( '/wp/v2/categories' ) )->assertOk();

Expand Down

0 comments on commit b037f7b

Please sign in to comment.