內容簡介
API Bearer Auth 外掛可以藉由使用 JWT 存取和更新權杖來啟用 REST API 的驗證功能。當使用者登入後,存取和更新權杖將會回傳,並可以用於下一個請求。發行的權杖可以在使用者管理畫面中撤銷。請參考下方的端點。
請注意,在啟用此外掛後,所有 REST API 端點都需要經過驗證,除非該端點在api_bearer_auth_unauthenticated_urls篩選器中被列入白名單(詳情請參閱常見問題解答)。
JWT
存取權杖可以被格式化為 JWT 權杖。為了使其正常運作,您首先需要創建一個密鑰,並將其添加到 wp-config.php 檔案中。如果您沒有這樣做,存取權杖仍會運作,但只是隨機的字串。例如,您可以進行以下操作,以創建一個隨機密鑰:
base64_encode(openssl_random_pseudo_bytes(64));
然後將結果添加到 wp-config 中:
define('API_BEARER_JWT_SECRET', 'mysecretkey');
如果您有問題,可以在以下網址驗證您的 JWT 權杖:https://jwt.io/
撤銷權杖
此外掛會為使用者表中添加一欄,您可以在其中查看權杖何時過期。您也可以從批量操作下拉式選單中選擇「撤銷 API 權杖」來撤銷權杖。
API端點
請注意,所有端點都希望在POST主體中得到JSON格式的資料。
登入
端點:
POST /api-bearer-auth/v1/login
要求主體:
注意:client_name為可选項。但是,如果您使用它,在使用刷新呼叫時也要確保使用它!
{"username": "my_username", "password": "my_password", "client_name": "my_app"}
回應:
{
"wp_user": {
"data": {
"ID": 1,
"user_login": "your_user_login",
// 其他 WordPress 常規使用者欄位
}
},
"access_token": "your_access_token",
"expires_in": 86400, // 秒數
"refresh_token": "your_refresh_token"
}
請確保保存存取和更新權杖!
刷新存取權杖
端點:
POST /api-bearer-auth/v1/tokens/refresh
要求主體:
注意:client_name為可选項。但是,如果您使用了它來進行登入呼叫,請確保在此處也使用它!
{"token": "your_refresh_token", "client_name": "my_app"}
回應成功:
{
"access_token": "your_new_access_token",
"expires_in": 86400
}
當傳送錯誤的更新權杖時,回應為 401:
{
"code": "api_api_bearer_auth_error_invalid_token",
"message": "Invalid token.",
"data": {
"status": 401
}
}
發送未經驗證的存取權杖或使用者未登錄,會回應401:
{
"code":
外掛標籤
開發者團隊
原文外掛簡介
The API Bearer Auth plugin enables authentication for the REST API by using JWT access an refresh tokens. After the user logs in, the access and refresh tokens are returned and can be used for the next requests. Issued tokens can be revoked from within the users admin screen. See below for the endpoints.
Note that after activating this plugin, all REST API endpoints will need to be authenticated, unless the endpoint is whitelisted in the api_bearer_auth_unauthenticated_urls filter (see FAQ for how to use this filter).
JWT
Access tokens can be formatted as JWT tokens. For this to work, you first have to create a secret and add it to the wp-config.php file. If you don’t do this, access tokens will work also, but are just random strings. To create a random secret key, you can do for example:
base64_encode(openssl_random_pseudo_bytes(64));
And then add the result to wp-config:
define('API_BEARER_JWT_SECRET', 'mysecretkey');
If you have problems, you can verify your JWT tokens at: https://jwt.io/
Revoke tokens
This plugin adds a column to the users table in de admin where you can see when a token expires. You can also revoke tokens by selection the “Revoke API tokens” from the bulk actions select box.
API endpoints
Note that all endpoints expect JSON in the POST body.
Login
Endpoint:
POST /api-bearer-auth/v1/login
Request body:
Note: client_name is optional. But if you use it, make sure to use it as well for the refresh call!
{"username": "my_username", "password": "my_password", "client_name": "my_app"}
Response:
{
"wp_user": {
"data": {
"ID": 1,
"user_login": "your_user_login",
// other default WordPress user fields
}
},
"access_token": "your_access_token",
"expires_in": 86400, // number of seconds
"refresh_token": "your_refresh_token"
}
Make sure to save the access and refresh token!
Refresh access token
Endpoint:
POST /api-bearer-auth/v1/tokens/refresh
Request body:
Note: client_name is optional. But if you did use it for the login call, make sure to use it here as well!
{"token": "your_refresh_token", "client_name": "my_app"}
Response success:
{
"access_token": "your_new_access_token",
"expires_in": 86400
}
Response when sending a wrong refresh token is a 401:
{
"code": "api_api_bearer_auth_error_invalid_token",
"message": "Invalid token.",
"data": {
"status": 401
}
}
Do a request
After you have the access token, you can make requests to authenticated endpoints with an Authorization header like this:
Authorization: Bearer
Note that Apache sometimes strips out the Authorization header. If this is the case, make sure to add this to the .htaccess file:
RewriteCond %{HTTP:Authorization} ^(.*)
# Don't know why, but some need the line below instead of the RewriteRule line
# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
If you are not logged in or you send an invalid access token, you get a 401 response:
{
"code": "api_bearer_auth_not_logged_in",
"message": "You are not logged in.",
"data": {
"status": 401
}
}
Important update
Update immediately if you’re using a version below 20200807. Before this version all access tokens were updated when calling the refresh callback.
If you are affected by this the fastest solution is to execute this query:
update wp_user_tokens set access_token_valid = NOW();
This will invalidate all access tokens. This means that all users need to refresh their access token and will get a new access token and a unique one this time.
A big thank to @harchvertelol for reporting this and suggesting the fix as well!
