Skip to content

Commit

Permalink
Bump to 1.3.0
Browse files Browse the repository at this point in the history
  • Loading branch information
srtfisher committed Feb 27, 2024
1 parent c8436b3 commit 3ecc833
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 9 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@

All notable changes to `wp-rest-guard` will be documented in this file.

## v1.2.1 - 2024-02-26
## v1.3.0 - 2024-02-27

- Allow the claims to be added to added to a generated JWT via filter.
- Don't check `OPTIONS` requests by default.

## v1.2.0 - 2024-02-22

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# REST API Guard

Stable tag: 1.2.1
Stable tag: 1.3.0

Requires at least: 6.0

Expand Down
26 changes: 20 additions & 6 deletions plugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
* Plugin Name: REST API Guard
* Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard
* Description: Restrict and control access to the REST API
* Version: 1.2.0
* Version: 1.3.0
* Author: Sean Fisher
* Author URI: https://alley.co/
* Author URI: https://alley.com/
* Requires at least: 6.0
* Tested up to: 6.3
*
Expand Down Expand Up @@ -59,6 +59,18 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
$settings = [];
}

/**
* Allow OPTIONS requests to bypass the REST API Guard checks by default.
*
* This is useful for CORS preflight requests.
*
* @param bool $allow Whether to allow OPTIONS requests, default true.
* @param \WP_REST_Request $request REST API Request.
*/
if ( 'OPTIONS' === $request->get_method() && ! apply_filters( 'rest_api_guard_check_options_requests', $settings['check_options_requests'] ?? false, $request ) ) {
return false;
}

if ( class_exists( JWT::class ) ) {
/**
* Check if the anonymous request requires a JSON Web Token (JWT).
Expand Down Expand Up @@ -149,9 +161,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
/**
* Prevent access to the root of the REST API.
*
* @param bool $prevent Whether to prevent anonymous access, default false.
* @param bool $prevent Whether to prevent anonymous access, default false.
* @param string $endpoint The endpoint of the request.
*/
if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false ) ) {
if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false, $endpoint ) ) {
return true;
}

Expand All @@ -171,9 +184,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
/**
* Prevent access to the /wp/v2/users endpoints by default.
*
* @param bool $pre Whether to prevent access to the /wp/v2/users endpoints.
* @param bool $pre Whether to prevent access to the /wp/v2/users endpoints.
* @param string $endpoint The endpoint of the request.
*/
if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false ) ) {
if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false, $endpoint ) ) {
return true;
}

Expand Down
2 changes: 1 addition & 1 deletion readme.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
=== REST API Guard ===
Stable tag: 1.2.1
Stable tag: 1.3.0
Requires at least: 6.0
Tested up to: 6.3
Requires PHP: 8.0
Expand Down
16 changes: 16 additions & 0 deletions settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,21 @@ function on_admin_init() {
],
);

add_settings_field(
'check_options_requests',
__( 'Apply checks to OPTIONS requests', 'rest-api-guard' ),
__NAMESPACE__ . '\render_field',
SETTINGS_KEY,
SETTINGS_KEY,
[
'description' => __( 'Apply the same checks to OPTIONS requests as other requests.', 'rest-api-guard' ),
'additional' => __( 'By default, the plugin will not apply any checks to OPTIONS requests. This setting will force the plugin to apply the same checks to OPTIONS requests as other requests. For CORS requests, this may need to be disabled to allow authentication with a JWT.', 'rest-api-guard' ),
'filter' => 'rest_api_guard_check_options_requests',
'id' => 'check_options_requests',
'type' => 'checkbox',
],
);

add_settings_field(
'anonymous_requests_allowlist',
__( 'Anonymous Request Allowlist', 'rest-api-guard' ),
Expand Down Expand Up @@ -232,6 +247,7 @@ function sanitize_settings( $input ) {
'allow_index_access' => ! empty( $input['allow_index_access'] ),
'allow_namespace_access' => ! empty( $input['allow_namespace_access'] ),
'allow_user_access' => ! empty( $input['allow_user_access'] ),
'check_options_requests' => ! empty( $input['check_options_requests'] ),
'anonymous_requests_allowlist' => ! empty( $input['anonymous_requests_allowlist'] ) ? sanitize_textarea_field( $input['anonymous_requests_allowlist'] ) : '',
'anonymous_requests_denylist' => ! empty( $input['anonymous_requests_denylist'] ) ? sanitize_textarea_field( $input['anonymous_requests_denylist'] ) : '',
'authentication_jwt' => ! empty( $input['authentication_jwt'] ),
Expand Down
36 changes: 36 additions & 0 deletions tests/RestApiGuardTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,42 @@ public function test_prevent_anonymous_access_settings() {
$this->get( rest_url( '/wp/v2/tags' ) )->assertUnauthorized();
}

public function test_check_options_requests() {
$this->expectApplied( 'rest_api_guard_check_options_requests' )->times( 3 );

// Check the default settings.
update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
]
);

$this->options( rest_url( '/wp/v2/categories' ) )->assertOk();
$this->get( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();

update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
'check_options_requests' => true,
]
);

$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();

update_option(
SETTINGS_KEY,
[
'prevent_anonymous_access' => true,
]
);

add_filter( 'rest_api_guard_check_options_requests', fn () => true );

$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();
}

public function test_prevent_access_allowlist_code() {
$this->get( rest_url( '/wp/v2/categories' ) )->assertOk();

Expand Down

0 comments on commit 3ecc833

Please sign in to comment.