定制 alleyinteractive/wp-rest-api-guard 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

alleyinteractive/wp-rest-api-guard

Composer 安装命令:

composer require alleyinteractive/wp-rest-api-guard

包简介

Restrict and control access to the REST API

README 文档

README

Stable tag: 1.4.1

Requires at least: 6.5

Tested up to: 6.8

Requires PHP: 8.0

License: GPL v2 or later

Tags: alleyinteractive, rest-api-guard

Contributors: sean212

All Pull Request Tests

Restrict and control access to the REST API.

Installation

You can install the package via composer:

composer require alleyinteractive/wp-rest-api-guard

Usage

The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.

Out of the box the plugin can:

  • Disable anonymous access to the REST API.
  • Restrict and control anonymous access to the REST API by namespace, path, etc.

Settings Page

The plugin can be configured via the Settings page (Settings -> REST API Guard) or via the relevant filter.

Screenshot of plugin settings screen

Preventing Access to User Information (wp/v2/users)

By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin's settings or via code:

add_filter( 'rest_api_guard_allow_user_access', fn () => true );

Preventing Access to Index (/) or Namespace Endpoints (wp/v2)

To prevent anonymous users from browsing your site and discovering what plugins/post types are set up, the plugin restricts access to the index (/) and namespace (wp/v2) endpoints. This can be prevented in the plugin's settings or via code:

// Allow index access.
add_filter( 'rest_api_guard_allow_index_access', fn () => true );

// Allow namespace access.
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );

Restrict Anonymous Access to the REST API

The plugin can restrict anonymous access for any request to the REST API in the plugin's settings or via code:

add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );

Limit Anonymous Access to Specific Namespaces/Routes (Allowlist)

Anonymous users can be granted access only to specific namespaces/routes. Requests outside of these paths will be denied. This can be configured in the plugin's settings or via code:

add_filter(
	'rest_api_guard_anonymous_requests_allowlist',
	function ( array $paths, WP_REST_Request $request ): array {
		// Allow other paths not included here will be denied.
		$paths[] = 'wp/v2/post';
		$paths[] = 'custom-namespace/v1/public/*';

		return $paths;
	},
	10,
	2
);

Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)

Anonymous users can be restricted from specific namespaces/routes. This acts as a denylist for specific paths that an anonymous user cannot access. The paths support regular expressions for matching. The use of the Allowlist takes priority over this denylist. This can be configured in the plugin's settings or via code:

add_filter(
	'rest_api_guard_anonymous_requests_denylist',
	function ( array $paths, WP_REST_Request $request ): array {
		$paths[] = 'wp/v2/user';
		$paths[] = 'custom-namespace/v1/private/*';

		return $paths;
	},
	10,
	2
);

Require JSON Web Token (JWT) Authentication for Anonymous Users

Anonymous users can be required to authenticate via a JSON Web Token (JWT) to access the REST API. Users should pass an Authorization: Bearer <token> header with their request. This can be configured in the plugin's settings or via code:

add_filter( 'rest_api_guard_authentication_jwt', fn () => true );

Out of the box, the plugin will look for a JWT in the Authorization: Bearer <token> header. The JWT will be expected to have an audience of 'wordpress-rest-api' and issuer of the site's URL. This can be configured in the plugin's settings or via code:

add_filter( 'rest_api_guard_jwt_audience', fn ( string $audience ) => 'custom-audience' );

add_filter( 'rest_api_guard_jwt_issuer', fn ( string $issuer ) => 'https://example.com' );

The JWT's secret will be autogenerated and stored in the rest_api_guard_jwt_secret option. The secret can also be filtered via code:

add_filter( 'rest_api_guard_jwt_secret', fn ( string $secret ) => 'my-custom-secret' );

Allow JWT Authentication for Authenticated Users

Authenticated users can be authenticated with the REST API via a JSON Web Token. Similar to the anonymous JWT authentication, users should pass an Authorization: Bearer <token> header with their request. This can be configured in the plugin's settings or via code:

add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );

Generating JWTs for Anonymous and Authenticated Users

JWTs can be generated by calling the wp rest-api-guard generate-jwt [--user=<user_id>] command or using the Alley\WP\REST_API_Guard\generate_jwt() method:

$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
	expiration: 3600, // Optional. The expiration time in seconds from now.
	user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
);

Testing

Run composer test to run tests against PHPUnit and the PHP code in the plugin.

Changelog

Please see CHANGELOG for more information on what has changed recently.

Credits

This project is actively maintained by Alley Interactive. Like what you see? Come work with us.

Alley logo

License

The GNU General Public License (GPL) license. Please see License File for more information.

alleyinteractive/wp-rest-api-guard 适用场景与选型建议

alleyinteractive/wp-rest-api-guard 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 4.28k 次下载、GitHub Stars 达 14, 最近一次更新时间为 2022 年 10 月 26 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「wordpress」 「wordpress-plugin」 「alleyinteractive」 「rest-api-guard」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 alleyinteractive/wp-rest-api-guard 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 alleyinteractive/wp-rest-api-guard 我们能提供哪些服务?
定制开发 / 二次开发

基于 alleyinteractive/wp-rest-api-guard 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 4.28k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 14
  • 点击次数: 14
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 14
  • Watchers: 22
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-2.0-or-later
  • 更新时间: 2022-10-26