Hey there! How are you today? I hope fine!
Ok, here is the thing: in order to make my app as dynamic as possible I need to have access to plenty of resources! What I didn’t think of since the beginning was to check out all the available routes and endpoints and check out which of them are “public” and which of them need Authentication/Authorization! Dear Lord! Here is the list of available routes (including some for a couple of useful plugins):
"routes": { "/": {}, "/oembed/1.0": {}, "/oembed/1.0/embed": {}, "/oembed/1.0/proxy": {}, "/akismet/v1": {}, "/akismet/v1/key": {}, "/akismet/v1/settings": {}, "/akismet/v1/stats": {}, "/akismet/v1/stats/(?P<interval>[\\w+])": {}, "/yoast/v1": {},"/yoast/v1/configurator": {}, "/yoast/v1/reindex_posts": {}, "/yoast/v1/statistics": {}, "/yoast/v1/ryte": {}, "/wp/v2": {}, "/wp/v2/posts": {}, "/wp/v2/posts/(?P<id>[\\d]+)": {}, "/wp/v2/posts/(?P<parent>[\\d]+)/revisions": {}, "/wp/v2/posts/(?P<parent>[\\d]+)/revisions/(?P<id>[\\d]+)": {}, "/wp/v2/pages": {}, "/wp/v2/pages/(?P<id>[\\d]+)": {}, "/wp/v2/pages/(?P<parent>[\\d]+)/revisions": {}, "/wp/v2/pages/(?P<parent>[\\d]+)/revisions/(?P<id>[\\d]+)": {}, "/wp/v2/media": {},"/wp/v2/media/(?P<id>[\\d]+)": {}, "/wp/v2/types": {}, "/wp/v2/types/(?P<type>[\\w-]+)": {}, "/wp/v2/statuses": {}, "/wp/v2/statuses/(?P<status>[\\w-]+)": {}, "/wp/v2/taxonomies": {}, "/wp/v2/taxonomies/(?P<taxonomy>[\\w-]+)": {}, "/wp/v2/categories": {},"/wp/v2/categories/(?P<id>[\\d]+)": {}, "/wp/v2/tags": {}, "/wp/v2/tags/(?P<id>[\\d]+)": {}, "/wp/v2/users": {}, "/wp/v2/users/(?P<id>[\\d]+)": {}, "/wp/v2/users/me": {}, "/wp/v2/comments": {}, "/wp/v2/comments/(?P<id>[\\d]+)": {}, "/wp/v2/settings": {}
As you can see, there is a lot of stuff you can retrieve through the API. The thing is that you do not have access to ALL of them and this depends on two reasons: one of them is that for some actions like POST, PUT and DELETE you need Authorization and for this you need to setup oAuth on the server side, so your application can communicate with WordPress without you giving away your credentials! At this point, there are a few more considerations:
- Do I need to use oAuth since I do not intend to write, edit or delete content through my app?
- If I decide I wanna use it I can only authenticate/authorize as the WP admin or I could just create another user with less permissions, so noone can do some harm to my website! Because if by any means someone gets the credentials of oAuth and I have already authorize the app (even if I hide them from gitHub and from the source), he can possibly make a mess! No, I do not want this! So, the question is: can I authenticate as a plain user with certain permissions or not?
Re-designing
In the mockup I made I was thinking of using a pic, probably the author’s avatar! Now, especially while my route /wp/v2/users is unaccesible (I think for this one I need to “blame” shared hosting, well done for the high level of security!) and /wp/v2/settings gives me this json in return:
{ "code": "rest_forbidden", "message": "Sorry, you are not allowed to do that.", "data": { "status": 403 } }
I found a solution though for not being able to access the Site Title and Tagline. I can find them in the root route of the api wp-json as name and description respectively! I hope the are the same! Nonetheless, they are the same strings!
oAuth Authorization
Yesterday, I spent all day reading through the docs of the WP REST API about the routes and authentication and how it is to be done! Note: the docs are awfully written and confusing! I do not know why and I am not bitching about them, but they do not look good and professional as the WP docs in general! Some stuff are deprecated, others are half written. Nonetheless, a man has to do what a man has to do: find his way past the problem! So, here are some resources which I found quite illuminating! The best resource there is out there, in my opinion is this:
http://nobil.cc/blog/oauth-in-wp-rest-api/
This one is extensive and has some nice custom additions and photos:
The official (maybe) site is this:
And some others I found were confusing so I leave them out! A thing to notice is that I am talking about oAuth here although in the docs there are some other plugins for the same purpose like Application Passwords, and JSON Web Tokens. That’s because let’s say this is the “official” way of doing this! Even the demo WP API site uses this along with the Broker central application registry!
The demo website displays the users on the browser (not like mine!): https://demo.wp-api.org/wp-json/wp/v2/users and uses the following authentication:
"authentication": { "oauth1": { "request": "https://demo.wp-api.org/oauth1/request", "authorize": "https://demo.wp-api.org/oauth1/authorize", "access": "https://demo.wp-api.org/oauth1/access", "version": "0.1" }, "broker": "https://demo.wp-api.org/wp-json/broker/v1/connect"}
as you can probably see in https://demo.wp-api.org/wp-json/. So, I think that’s all with the WP REST API you need to know if you want to extend the control over your WP by connecting it with a mobile app or anything else! Of course, for the oAuth you need to login with your credentials, so there is no fear of exposing any secret URLs and stuff regarding security!
Final notes
Finally, I will look if I can use the Featured image instead of the avatar, although I do not use featured images on my posts (haha..) or leave it for now until I can think of something better! And now I found a way to dynamically getting the title and the tagline so I need to implement these in my code! Yay!
Cheers
