WP REST API how to check header basic authentication

Question

A custom endpoint like this

add_action( 'rest_api_init', function () {
    register_rest_route( 'myplugin/v1', '/author/(?P<id>\d+)', array(
        'methods' => 'GET',
        'callback' => 'my_awesome_func',
    ) );
} );

Using basic authentication in headers, let's say 'Authorization: Basic some64basePass'

How I can check the value of Authorization in the header is valid or not?

Answer 1

WordPress has a hook for adding your own authentication handler.

add_filter( 'rest_authentication_errors', 'rest_basic_auth_check_errors', 99 );

Your rest_basic_auth_check_errors() should return true if basic authentication succeeds or WP_Error if it fails. Since the default REST authentication handler runs at priority 100 your rest_basic_auth_check_errors() will override the default handler.

See the function WP_REST_Server::check_authentication() in file ...\wp-includes\rest-api\class-wp-rest-server.php to understand how WordPress handles REST authentication and how to add your own authentication handler.

Also, you should read about $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] in http://php.net/manual/en/features.http-auth.php

Answer 2

Here is my solution. Inside the callback function I validate Authorization from the header like this:

function my_awesome_func($data) {
    //Get HTTP request headers 
    $auth = apache_request_headers();
    //Get only Authorization header
    $valid = $auth['Authorization'];

    // Validate
    if ($valid == 'Basic Base64UsernamePassword') {
        //Do what the function should do
    } else {
        $response = 'Please use a valid authentication';
    }

    return json_encode($response);
}

Maybe there is a better way.