CODEWITHSUNDEEP
wordpresswordpress-rest-api
user982124
user982124

Reputation: 4622

WordPress REST API - How to Authenticate without a plugin

I've used the WooCommerce REST API for a number of years and I now need to try and upload some media files to WordPress so we can reference these when adding Product Images to existing Products, as the WooCommerce REST API doesn't allow for uploading image files directly. I have no experience with any WordPress REST API implementations as yet.

I'm pretty confused at this stage whether I need to use a WordPress plugin to allow my remote application (using cURL) to be able to upload files to the Media endpoint? I saw something about not using basic authentication but I can't see any settings within WordPress itself to create API keys like you do for WooCommerce.

Do I need to use a plugin to enable REST API access to allow remote uploading of media files? From what I've read the REST API is not in the WordPress core (I'm running WordPress 4.9.2) but I can't see where I setup authentication for the API requests?

Upvotes: 3

Views: 12283

Answers (2)

Shaun Poore
Shaun Poore

Reputation: 642

So according to wordpress they say there are 4 ways to authenticate.

  1. Cookies auth
  2. Basic auth
  3. oauth
  4. json web tokens

Unfortunately all of these methods require you to either edit your functions.php file or download a plugin. There's currently no way around that.

I've found the fastest way to just quickly get this running is to use this plugin. Or if you don't actually want to install the plugin just put their code into your theme's functions.php file and basic auth should be ready to use. Maybe not a great long term solution but it'll get you up and running.

Upvotes: 1

firxworx
firxworx

Reputation: 1584

There are different authentication schemes and for remote applications / integrations, you will generally need a plugin to authenticate.

The default idea is one logs into WordPress (e.g. wp-login.php) and that authorizes that user for any REST API functionality that might require it. An example use-case where this is suitable is a plugin that adds a page in the admin dashboard and its back/forth with the server is implemented via JS + REST API. No additional plugins or anything of the sort is required, especially now that the REST API is part of the core.

For integrations, currently decent options include an OAuth plugin, JWT, and the Application Passwords plugin.

Since you're using CURL and loading data ad-hoc, the Application Password plugin could be a pretty straightforward choice that's easy to manage. Once the plugin is installed + activated, given a user, you can edit their profile and add one or more Application Passwords (and disable them). The idea is you use a different password for each application where you want to authenticate as that user.

To use an Application Password, base64-encode "USERNAME:APPLICATION_PASSWORD" and then incorporate the resulting value in an Authorization header along with any requests.

Suppose you create an Application Password for username and the plugin generates "WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ". At a shell prompt you could generate the required base64-encoded format: 

echo -n "username:WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ" | base64

For the sake of example, suppose the base64 output is: "AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=". You could then use this value in the Authorization header of any requests: 

curl --header "Authorization: Basic AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=" -X POST -d "title=Editing a Post Title with REST API" https://example.com.test/wp-json/wp/v2/posts/<ID>

It is important to use SSL/TLS as the authorization header can be sniffed out by an attacker if it were transmitted via plaintext.

Plugin link:

https://wordpress.org/plugins/application-passwords/

Upvotes: 3

Related Questions