Public/Private API endpoints not respected

  • Resolved mcsr

    (@mcsr)


    2 years, 10 months ago

    Hi there,

    First of all: Thanks for this awesome and free plugin!

    On my WordPress site I have blocked public REST API access, which means that only authenticated WordPress users should be able to query the API. Unfortunately, the WP REST Cache plugin also returns cached content for unauthenticated users. So for example, if the REST cache is cleared and I send a request to an API route as an authenticated user, the returned content gets cached (so for so good). But if then an unauthenticated user requests the same, he will get the cached content, although if he is not authenticated. This means that private content could be exposed.

    Is there a way to check whether the user is authenticated or not before returning cached content, or to respect protected/unprotected API routes?

Viewing 1 replies (of 1 total)
  • Plugin Author Richard Korthuis

    (@rockfire)

    2 years, 10 months ago

    Hi @mcsr

    Thank you for using our plugin!

    Yes, your issue is caused by the way our plugin works: if a call to the API is done, before any other code is executed, our plugin checks if a cache record is available for the current request. Now if a cache record is available it is returned and no other code is executed. So if later on there is an authentication check, that is also not executed. This is also why our plugin doesn’t cache any calls that have a nonce in their header, just to prevent caching of authenticated endpoints.

    You can have our plugin cache requests with a nonce using the filter wp_rest_cache/skip_nonce_caching See my reply in a previous topic about how to use it. You could also use this filter to first check the authentication and only if the user is authenticated to return the cached record. I have explained this in that reply as well.

Viewing 1 replies (of 1 total)

The topic ‘Public/Private API endpoints not respected’ is closed to new replies.