Merge pull request #21 from alleyinteractive/hotfix/user-endpoint

Do not check OPTIONS requests by default
alleyinteractive · Feb 28, 2024 · b037f7b · b037f7b
2 parents c8436b3 + e9051f2
commit b037f7b
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,9 +2,10 @@
 
 All notable changes to `wp-rest-guard` will be documented in this file.
 
-## v1.2.1 - 2024-02-26
+## v1.3.0 - 2024-02-27
 
-- Allow the claims to be added to added to a generated JWT via filter.
+- Allow the claims to be added to a generated JWT via filter.
+- Don't check `OPTIONS` requests by default.
 
 ## v1.2.0 - 2024-02-22
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # REST API Guard
 
-Stable tag: 1.2.1
+Stable tag: 1.3.0
 
 Requires at least: 6.0
 

diff --git a/plugin.php b/plugin.php
@@ -3,9 +3,9 @@
  * Plugin Name: REST API Guard
  * Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard
  * Description: Restrict and control access to the REST API
- * Version: 1.2.0
+ * Version: 1.3.0
  * Author: Sean Fisher
- * Author URI: https://alley.co/
+ * Author URI: https://alley.com/
  * Requires at least: 6.0
  * Tested up to: 6.3
  *
@@ -59,6 +59,18 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 		$settings = [];
 	}
 
+	/**
+	 * Filters whether the REST API Guard should check OPTIONS requests.
+	 *
+	 * This is useful for CORS preflight requests.
+	 *
+	 * @param bool             $check Whether to check OPTIONS requests. Default false.
+	 * @param \WP_REST_Request $request REST API Request.
+	 */
+	if ( 'OPTIONS' === $request->get_method() && ! apply_filters( 'rest_api_guard_check_options_requests', $settings['check_options_requests'] ?? false, $request ) ) {
+		return false;
+	}
+
 	if ( class_exists( JWT::class ) ) {
 		/**
 		 * Check if the anonymous request requires a JSON Web Token (JWT).
@@ -149,9 +161,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 	/**
 	 * Prevent access to the root of the REST API.
 	 *
-	 * @param bool $prevent Whether to prevent anonymous access, default false.
+	 * @param bool   $prevent Whether to allow anonymous access to the REST API index. Default false.
+	 * @param string $endpoint The endpoint of the request.
 	 */
-	if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false ) ) {
+	if ( '/' === $endpoint && false === apply_filters( 'rest_api_guard_allow_index_access', $settings['allow_index_access'] ?? false, $endpoint ) ) {
 		return true;
 	}
 
@@ -171,9 +184,10 @@ function should_prevent_anonymous_access( WP_REST_Server $server, WP_REST_Reques
 	/**
 	 * Prevent access to the /wp/v2/users endpoints by default.
 	 *
-	 * @param bool $pre Whether to prevent access to the /wp/v2/users endpoints.
+	 * @param bool   $pre Whether to allow access to the /wp/v2/users endpoints.
+	 * @param string $endpoint The endpoint of the request.
 	 */
-	if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false ) ) {
+	if ( preg_match( '#^/wp/v\d+/users($|/)#', $endpoint ) && false === apply_filters( 'rest_api_guard_allow_user_access', $settings['allow_user_access'] ?? false, $endpoint ) ) {
 		return true;
 	}
 

diff --git a/readme.txt b/readme.txt
@@ -1,5 +1,5 @@
 === REST API Guard ===
-Stable tag: 1.2.1
+Stable tag: 1.3.0
 Requires at least: 6.0
 Tested up to: 6.3
 Requires PHP: 8.0

diff --git a/settings.php b/settings.php
@@ -145,6 +145,21 @@ function on_admin_init() {
 		],
 	);
 
+	add_settings_field(
+		'check_options_requests',
+		__( 'Apply checks to OPTIONS requests', 'rest-api-guard' ),
+		__NAMESPACE__ . '\render_field',
+		SETTINGS_KEY,
+		SETTINGS_KEY,
+		[
+			'description' => __( 'Apply the same checks to OPTIONS requests as other requests.', 'rest-api-guard' ),
+			'additional'  => __( 'By default, the plugin will not apply any checks to OPTIONS requests. This setting will force the plugin to apply the same checks to OPTIONS requests as other requests. For CORS requests, this may need to be disabled to allow authentication with a JWT.', 'rest-api-guard' ),
+			'filter'      => 'rest_api_guard_check_options_requests',
+			'id'          => 'check_options_requests',
+			'type'        => 'checkbox',
+		],
+	);
+
 	add_settings_field(
 		'anonymous_requests_allowlist',
 		__( 'Anonymous Request Allowlist', 'rest-api-guard' ),
@@ -232,6 +247,7 @@ function sanitize_settings( $input ) {
 		'allow_index_access'           => ! empty( $input['allow_index_access'] ),
 		'allow_namespace_access'       => ! empty( $input['allow_namespace_access'] ),
 		'allow_user_access'            => ! empty( $input['allow_user_access'] ),
+		'check_options_requests'       => ! empty( $input['check_options_requests'] ),
 		'anonymous_requests_allowlist' => ! empty( $input['anonymous_requests_allowlist'] ) ? sanitize_textarea_field( $input['anonymous_requests_allowlist'] ) : '',
 		'anonymous_requests_denylist'  => ! empty( $input['anonymous_requests_denylist'] ) ? sanitize_textarea_field( $input['anonymous_requests_denylist'] ) : '',
 		'authentication_jwt'           => ! empty( $input['authentication_jwt'] ),

diff --git a/tests/RestApiGuardTest.php b/tests/RestApiGuardTest.php
@@ -121,6 +121,42 @@ public function test_prevent_anonymous_access_settings() {
 		$this->get( rest_url( '/wp/v2/tags' ) )->assertUnauthorized();
 	}
 
+	public function test_check_options_requests() {
+		$this->expectApplied( 'rest_api_guard_check_options_requests' )->times( 3 );
+
+		// Check the default settings.
+		update_option(
+			SETTINGS_KEY,
+			[
+				'prevent_anonymous_access' => true,
+			]
+		);
+
+		$this->options( rest_url( '/wp/v2/categories' ) )->assertOk();
+		$this->get( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();
+
+		update_option(
+			SETTINGS_KEY,
+			[
+				'prevent_anonymous_access' => true,
+				'check_options_requests'   => true,
+			]
+		);
+
+		$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();
+
+		update_option(
+			SETTINGS_KEY,
+			[
+				'prevent_anonymous_access' => true,
+			]
+		);
+
+		add_filter( 'rest_api_guard_check_options_requests', fn () => true );
+
+		$this->options( rest_url( '/wp/v2/categories' ) )->assertUnauthorized();
+	}
+
 	public function test_prevent_access_allowlist_code() {
 		$this->get( rest_url( '/wp/v2/categories' ) )->assertOk();