One of our customers is using WordPress to manage and edit the content. However, he wants to get the page content via WordPress REST API and render them in the frontend with Javascript.
What’s more, the customer wants to protect some PDF files that will only be available in a private area created using a Custom Post Type (CPT). Here’s the basic flow:
- The client logs in with a normal username and password
- A token and user ID is needed to return the CPT content. This token is sent after successful login and valid only for one session.
- After that, the client should be an active user of each child site to receive the CPT.
Our PDA Gold needs to understand this token so that the client users can access the protected files accordingly.
In this tutorial, we are going to show you how to achieve that.
1. Authentication API
The customer uses the default WordPress authentication function, i.e. wp_signon, to send a token to the client, together with some user data needed in frontend.
Before you read further.... Free Download (PDF)
Secret Side Door
Secret Google Search Tactic That Will Skyrocket Your Sales, Connect You to the Perfect Partners, Influencers & Affiliates and Send Your Google Rankings Soaring! FREE when you sign up for Digital Creators Edge, a free newsletter for Digital Creators who wish to take their business to the next level.
public function pda_auth( $request ) {
$data = $request->get_body_params();
$creds = array();
$creds['user_login'] = $data['username'];
$creds['user_password'] = $data['password'];
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error( $user ) ) {
return $user->get_error_message();
}
$token = wp_hash( $user->ID . '-' . time(), 'auth' );
update_user_meta( $user->ID, 'pda_auth_token', $token );
return array(
'user_id' => $user->ID,
'token' => $token,
);
}
In this API, we will receive the user’s credentials sent from the client. With the help of wp_signon WordPress function, we can validate the username and password then return the user’s information. After that, a token is generated by wp_hash function and stored under user meta.
We’re using Postman for testing purposes.
2. Client requests protected files
In this section, we will handle the pda_custom_handle_protected_file hook to get the user ID from the client request header token. Once a valid ID is set, our File Access Permission feature will work correctly.
add_filter( 'pda_custom_handle_protected_file', 'handle_auth_token', 10, 2 );
function handle_auth_token() {
// Get HTTP Request Headers.
if ( ! function_exists( 'getallheaders' ) ) {
$headers = $this->pda_getallheaders();
} else {
$headers = getallheaders();
}
// Do nothing if the header does not have X-TOKEN.
if ( ! isset( $headers['X-TOKEN'] ) ) {
return;
}
// Try to get users by token stored in user_meta.
$token = $headers['X-TOKEN'];
$results = get_users( array(
'meta_key' => 'pda_auth_token',
'meta_value' => $token,
'fields' => 'ID',
) );
// Cannot find any users then do nothing.
if ( empty( $results ) ) {
return;
}
$user_id = $results[0];
// Set current user ID to current request.
wp_set_current_user( $user_id );
}
