Changeset 3040295

Timestamp:

02/23/2024 02:39:13 PM (5 months ago)

Author:

sean212

Message:

Update to version 1.2.0 from GitHub

Location:

rest-api-guard

Files:

• tags/1.2.0 (copied) (copied from rest-api-guard/trunk)
• tags/1.2.0/.distignore (modified) (2 diffs)
• tags/1.2.0/.git (deleted)
• tags/1.2.0/.gitignore (modified) (1 diff)
• tags/1.2.0/CHANGELOG.md (modified) (1 diff)
• tags/1.2.0/README.md (modified) (5 diffs)
• tags/1.2.0/cli.php (modified) (1 diff)
• tags/1.2.0/composer.json (modified) (2 diffs)
• tags/1.2.0/plugin.php (modified) (5 diffs)
• tags/1.2.0/readme.txt (modified) (3 diffs)
• tags/1.2.0/settings.php (modified) (4 diffs)
• tags/1.2.0/vendor/autoload.php (modified) (1 diff)
• tags/1.2.0/vendor/composer/autoload_real.php (modified) (2 diffs)
• tags/1.2.0/vendor/composer/autoload_static.php (modified) (2 diffs)
• tags/1.2.0/vendor/composer/installed.php (modified) (2 diffs)
• trunk/.distignore (modified) (2 diffs)
• trunk/.git (deleted)
• trunk/.gitignore (modified) (1 diff)
• trunk/CHANGELOG.md (modified) (1 diff)
• trunk/README.md (modified) (5 diffs)
• trunk/cli.php (modified) (1 diff)
• trunk/composer.json (modified) (2 diffs)
• trunk/plugin.php (modified) (5 diffs)
• trunk/readme.txt (modified) (3 diffs)
• trunk/settings.php (modified) (4 diffs)
• trunk/vendor/autoload.php (modified) (1 diff)
• trunk/vendor/composer/autoload_real.php (modified) (2 diffs)
• trunk/vendor/composer/autoload_static.php (modified) (2 diffs)
• trunk/vendor/composer/installed.php (modified) (2 diffs)

rest-api-guard/tags/1.2.0/.distignore

@@ +1 @@
+
 .DS_Store
 Thumbs.db
@@ -21 +22 @@
 Makefile
 .github
+

rest-api-guard/tags/1.2.0/.gitignore

@@ +1 @@
+
 .DS_Store
 Thumbs.db

rest-api-guard/tags/1.2.0/CHANGELOG.md

@@ -2 +2 @@
 
 All notable changes to `wp-rest-guard` will be documented in this file.
+
+
+
+
+
+
 
 ## v1.1.1 - 2024-01-15

rest-api-guard/tags/1.2.0/README.md

@@ -1 +1 @@
 # REST API Guard
 
-Stable tag: 1.1.2
+Stable tag: 1.
 
 Requires at least: 6.0
@@ -57 +57 @@
 ### Preventing Access to Index (`/`) or Namespace Endpoints (`wp/v2`)
 
-To prevent anonymous users from browing your site and discovering what plugins/post types are setup, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:
+To prevent anonymous users from browup, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:
 
 ```php
@@ -119 +119 @@
 ```
 
-### Require JSON Web Token (JWT) Authentication
+### Require JSON Web Token (JWT) Authentication
 
 Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
-access the REST API. This can be configured in the plugin's settings or via
-code:
+access the REST API. 
+code:
 
 ```php
@@ -135 +135 @@
 
 ```php
-add_filter(
-    'rest_api_guard_jwt_audience',
-    function ( string $audience ): string {
-        return 'custom-audience';
-    }
-);
+add_filter( 'rest_api_guard_jwt_audience', fn ( string $audience ) => 'custom-audience' );
 
-add_filter(
-    'rest_api_guard_jwt_issuer',
-    function ( string $issuer ): string {
-        return 'https://example.com';
-    }
-);
+add_filter( 'rest_api_guard_jwt_issuer', fn ( string $issuer ) => 'https://example.com' );
 ```
 
@@ -154 +144 @@
 
 ```php
-add_filter(
-    'rest_api_guard_jwt_secret',
-    function ( string $secret ): string {
-        return 'my-custom-secret';
-    }
+add_filter( 'rest_api_guard_jwt_secret', fn ( string $secret ) => 'my-custom-secret' );
+```
+
+### Allow JWT Authentication for Authenticated Users
+
+Authenticated users can be authenticated with the REST API via a JSON Web Token.
+Similar to the anonymous JWT authentication, users should pass an
+`Authorization: Bearer <token>` header with their request. This can be
+configured in the plugin's settings or via code:
+
+```php
+add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
+```
+
+### Generating JWTs for Anonymous and Authenticated Users
+
+JWTs can be generated by calling the `wp rest-api-guard generate-jwt [--user=<user_id>]`
+command or using the `Alley\WP\REST_API_Guard\generate_jwt()` method:
+
+```php
+$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
+    expiration: 3600, // Optional. The expiration time in seconds from now.
+    user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
 );
 ```
-
-You can generate a JWT for use with the REST API by calling the
-`wp rest-api-guard generate-jwt` command.
 
 ## Testing

rest-api-guard/tags/1.2.0/cli.php

@@ -10 +10 @@
 WP_CLI::add_command(
     'rest-api-guard generate-jwt',
-    function () {
-        echo generate_jwt() . PHP_EOL; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+    function ( $args, $assoc_args ) {
+        $expiration = isset( $assoc_args['expiration'] ) ? (int) $assoc_args['expiration'] : null;
+        $user       = isset( $assoc_args['user'] ) ? (int) $assoc_args['user'] : null;
+
+        echo generate_jwt( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+            expiration: $expiration,
+            user: $user,
+        ) . PHP_EOL;
     },
     [
         'shortdesc' => __( 'Generate a JSON Web Token (JWT).', 'rest-api-guard' ),
-    ]
+        'synopsis'  => '[--expiration=<expiration>] [--user=<user>]',
+    ],
 );

rest-api-guard/tags/1.2.0/composer.json

@@ -24 +24 @@
         "alleyinteractive/alley-coding-standards": "^2.0",
         "alleyinteractive/composer-wordpress-autoloader": "^1.0",
-        "mantle-framework/testkit": "^0.7",
-        "nunomaduro/collision": "^5.0"
+        "mantle-framework/testkit": "^1.0"
     },
     "config": {
@@ -32 +31 @@
             "dealerdirect/phpcodesniffer-composer-installer": true,
             "pestphp/pest-plugin": true
-        },
-        "platform": {
-            "php": "8.0"
         },
         "sort-packages": true

rest-api-guard/tags/1.2.0/plugin.php

@@ -4 +4 @@
  * Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard
  * Description: Restrict and control access to the REST API
- * Version: 1.1.2
+ * Version: 1.
  * Author: Sean Fisher
  * Author URI: https://alley.co/
@@ -24 +24 @@
 use WP_REST_Request;
 use WP_REST_Server;
+
 
 if ( ! defined( 'ABSPATH' ) ) {
@@ -59 +60 @@
     }
 
-    /**
-     * Check if the anonymous request requires a JSON Web Token (JWT).
-     *
-     * @param bool             $require Whether to require a JWT, default false.
-     * @param \WP_REST_Request $request REST API Request.
-     */
-    if ( class_exists( JWT::class ) && true === apply_filters( 'rest_api_guard_authentication_jwt', $settings['authentication_jwt'] ?? false, $request ) ) {
-        try {
-            $jwt = $request->get_header( 'Authorization' );
-
-            if ( empty( $jwt ) ) {
-                throw new InvalidArgumentException( __( 'No authorization header was found.', 'rest-api-guard' ) );
-            }
-
-            if ( 0 !== strpos( $jwt, 'Bearer ' ) ) {
-                throw new InvalidArgumentException( __( 'Invalid authorization header.', 'rest-api-guard' ) );
-            }
-
-            $decoded = JWT::decode(
-                substr( $jwt, 7 ),
-                new Key( get_jwt_secret(), 'HS256' ),
-            );
-
-            // Verify the contents of the JWT.
-            if ( empty( $decoded->iss ) || get_jwt_issuer() !== $decoded->iss ) {
-                throw new InvalidArgumentException( __( 'Invalid JWT issuer.', 'rest-api-guard' ) );
-            }
-
-            if ( empty( $decoded->aud ) || get_jwt_audience() !== $decoded->aud ) {
-                throw new InvalidArgumentException( __( 'Invalid JWT audience.', 'rest-api-guard' ) );
-            }
-        } catch ( \Exception $error ) {
-            return new WP_Error(
-                'rest_api_guard_unauthorized',
-                /**
-                 * Filter the authorization error message.
-                 *
-                 * @param string     $message The error message.
-                 * @param \Throwable $error The error that occurred.
-                 */
-                apply_filters(
-                    'rest_api_guard_invalid_jwt_message',
-                    __( 'Invalid authorization header.', 'rest-api-guard' ),
-                    $error,
-                ),
-                [
-                    'status' => rest_authorization_required_code(),
-                ]
-            );
+    if ( class_exists( JWT::class ) ) {
+        /**
+         * Check if the anonymous request requires a JSON Web Token (JWT).
+         *
+         * @param bool             $require Whether to require a JWT, default false.
+         * @param \WP_REST_Request $request REST API Request.
+         */
+        $require_anonymous_jwt = true === apply_filters( 'rest_api_guard_authentication_jwt', $settings['authentication_jwt'] ?? false, $request );
+        $allow_user_jwt        = true === apply_filters( 'rest_api_guard_user_authentication_jwt', $settings['user_authentication_jwt'] ?? false, $request );
+
+        if ( $require_anonymous_jwt || $allow_user_jwt ) {
+            try {
+                $jwt = $request->get_header( 'Authorization' );
+
+                if ( empty( $jwt ) && $require_anonymous_jwt ) {
+                    throw new InvalidArgumentException( __( 'No authorization header token was found and is required for this request.', 'rest-api-guard' ) );
+                }
+
+                if ( ! empty( $jwt ) ) {
+                    if ( 0 !== strpos( $jwt, 'Bearer ' ) ) {
+                        throw new InvalidArgumentException( __( 'Invalid authorization header.', 'rest-api-guard' ) );
+                    }
+
+                    $decoded = JWT::decode(
+                        substr( $jwt, 7 ),
+                        new Key( get_jwt_secret(), 'HS256' ),
+                    );
+
+                    // Verify the contents of the JWT.
+                    if ( empty( $decoded->iss ) || get_jwt_issuer() !== $decoded->iss ) {
+                        throw new InvalidArgumentException( __( 'Invalid JWT issuer.', 'rest-api-guard' ) );
+                    }
+
+                    if ( empty( $decoded->aud ) || get_jwt_audience() !== $decoded->aud ) {
+                        throw new InvalidArgumentException( __( 'Invalid JWT audience.', 'rest-api-guard' ) );
+                    }
+
+                    if ( $allow_user_jwt && ! empty( $decoded->sub ) ) {
+                        $user = get_user_by( 'id', $decoded->sub );
+
+                        if ( ! $user instanceof WP_User ) {
+                            throw new InvalidArgumentException( __( 'Invalid user in JWT sub.', 'rest-api-guard' ) );
+                        }
+
+                        wp_set_current_user( $user->ID );
+
+                        return false;
+                    }
+                }
+            } catch ( \Exception $error ) {
+                return new WP_Error(
+                    'rest_api_guard_unauthorized',
+                    /**
+                     * Filter the authorization error message.
+                     *
+                     * @param string     $message The error message being returned.
+                     * @param \Throwable $error The error that occurred.
+                     */
+                    apply_filters(
+                        'rest_api_guard_invalid_jwt_message',
+                        sprintf(
+                            /* translators: %s: The error message. */
+                            __( 'Error authentication with token: %s', 'rest-api-guard' ),
+                            $error->getMessage(),
+                        ),
+                        $error,
+                    ),
+                    [
+                        'status' => rest_authorization_required_code(),
+                    ]
+                );
+            }
         }
     }
@@ -284 +308 @@
     // Generate the JWT secret if it does not exist.
     if ( empty( get_option( 'rest_api_guard_jwt_secret' ) ) ) {
-        update_option( 'rest_api_guard_jwt_secret', wp_generate_password( 12, false ) );
+        update_option( 'rest_api_guard_jwt_secret', wp_generate_password( 2, false ) );
     }
 
@@ -298 +322 @@
  * Generate a JSON Web Token (JWT).
  *
+
+
+
+
  * @return string
- */
-function generate_jwt(): string {
-    return JWT::encode(
-        [
-            'iss' => get_jwt_issuer(),
-            'aud' => get_jwt_audience(),
-            'iat' => time(),
-        ],
-        get_jwt_secret(),
-        'HS256'
-    );
+ *
+ * @throws InvalidArgumentException If the user is invalid or unknown.
+ */
+function generate_jwt( ?int $expiration = null, WP_User|int|null $user = null ): string {
+    $payload = [
+        'iss' => get_jwt_issuer(),
+        'aud' => get_jwt_audience(),
+        'iat' => time(),
+    ];
+
+    if ( null !== $expiration ) {
+        $payload['exp'] = time() + $expiration;
+    }
+
+    if ( null !== $user ) {
+        $user = $user instanceof WP_User ? $user : get_user_by( 'id', $user );
+
+        if ( ! $user instanceof WP_User ) {
+            throw new InvalidArgumentException( esc_html__( 'Invalid user.', 'rest-api-guard' ) );
+        }
+
+        $payload['sub']        = $user->ID;
+        $payload['user_login'] = $user->user_login;
+    }
+
+    return JWT::encode( $payload, get_jwt_secret(), 'HS256' );
 }
 

rest-api-guard/tags/1.2.0/readme.txt

@@ -1 +1 @@
 === REST API Guard ===
-Stable tag: 1.1.2
+Stable tag: 1.
 Requires at least: 6.0
 Tested up to: 6.3
@@ -72 +72 @@
 ### Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)
 
-Anonymous users can be restricted from specific namespaces/routes. This acts as a denylist for specific paths that an anonymous user cannot access. The paths support regular expressions for matching. The use of the [Allowlist](#limit-anonymous-access-to-specific-namespacesroutes-allowlist) takes priority over this denylist. This can be configured in the plugin's settings or via code:
+Anonymous users can be restricted from specific namespaces/routes. This acts as
+a denylist for specific paths that an anonymous user cannot access. The paths
+support regular expressions for matching. The use of the allowlist takes
+priority over this denylist. This can be configured in the plugin's settings or
+via code:
 
     add_filter(
@@ -89 +93 @@
 
 Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
-access the REST API. This can be configured in the plugin's settings or via
-code:
+access the REST API. 
+code:
 
-```php
-add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
-```
+    add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
 
 Out of the box, the plugin will look for a JWT in the `Authorization: Bearer
-<token>` header. The JWT will be expected to have an audience of 'wordpress-rest-api' and issuer of the site's URL. This can be configured in the plugin's settings or via code:
+<token>` header. The JWT will be expected to have an audience of
+'wordpress-rest-api' and issuer of the site's URL. This can be configured in the
+plugin's settings or via code:
 
-```php
-add_filter(
-    'rest_api_guard_jwt_audience',
-    function ( string $audience ): string {
-        return 'custom-audience';
-    }
-);
+    add_filter(
+        'rest_api_guard_jwt_audience',
+        function ( string $audience ): string {
+            return 'custom-audience';
+        }
+    );
 
-add_filter(
-    'rest_api_guard_jwt_issuer',
-    function ( string $issuer ): string {
-        return 'https://example.com';
-    }
-);
-```
+    add_filter(
+        'rest_api_guard_jwt_issuer',
+        function ( string $issuer ): string {
+            return 'https://example.com';
+        }
+    );
 
 The JWT's secret will be autogenerated and stored in the database in the
 `rest_api_guard_jwt_secret` option. The secret can also be changed via code:
 
-```php
-add_filter(
-    'rest_api_guard_jwt_secret',
-    function ( string $secret ): string {
-        return 'my-custom-secret';
-    }
-);
-```
+    add_filter(
+        'rest_api_guard_jwt_secret',
+        function ( string $secret ): string {
+            return 'my-custom-secret';
+        }
+    );
 
-You can generate a JWT for use with the REST API by calling the
-`wp rest-api-guard generate-jwt` command.
+### Allow JWT Authentication for Authenticated Users
+
+Authenticated users can be authenticated with the REST API via a JSON Web Token.
+Similar to the anonymous JWT authentication, users should pass an
+`Authorization: Bearer <token>` header with their request. This can be
+configured in the plugin's settings or via code:
+
+    add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
+
+### Generating JWTs for Anonymous and Authenticated Users
+
+JWTs can be generated by calling the
+`wp rest-api-guard generate-jwt [--user=<user_id>]` command or using the
+`Alley\WP\REST_API_Guard\generate_jwt()` method:
+
+    $jwt = \Alley\WP\REST_API_Guard\generate_jwt(
+        expiration: 3600, // Optional. The expiration time in seconds from now.
+        user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
+    );

rest-api-guard/tags/1.2.0/settings.php

@@ -28 +28 @@
  */
 function on_admin_menu() {
+
+
+
+
+
+
+
+
+
     add_options_page(
         __( 'REST API Guard', 'rest-api-guard' ),
@@ -176 +185 @@
                 'additional'  => sprintf(
                     /* translators: 1: The JWT audience. 2: The JWT issuer. */
-                    __( 'When enabled, the plugin will require anonymous users to pass an "Authorization: Bearer <token>" with the token being a valid JSON Web Token (JWT). The plugin will be expecting a JWT with an audience of "%1$s", issuer of "%2$s", and secret that matches the value of the "rest_api_guard_jwt_secret" option.', 'rest-api-guard' ),
+                    __( 'When enabled, the plugin will require anonymous users to pass an "Authorization: Bearer <token>" with the token being a valid JSON Web Token (JWT). The plugin will be expecting a JWT with an audience of "%1$s", issuer of "%2$s", and secret that matches the value of the "rest_api_guard_jwt_secret" option.', 'rest-api-guard' ),
                     get_jwt_audience(),
                     get_jwt_issuer(),
@@ -185 +194 @@
             ],
         );
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     }
 }
@@ -206 +235 @@
         'anonymous_requests_allowlist' => ! empty( $input['anonymous_requests_allowlist'] ) ? sanitize_textarea_field( $input['anonymous_requests_allowlist'] ) : '',
         'anonymous_requests_denylist'  => ! empty( $input['anonymous_requests_denylist'] ) ? sanitize_textarea_field( $input['anonymous_requests_denylist'] ) : '',
+
+
     ];
 }

rest-api-guard/tags/1.2.0/vendor/autoload.php

@@ -23 +23 @@
 require_once __DIR__ . '/composer/autoload_real.php';
 
-return ComposerAutoloaderInitb3808e08bff289327297fb981027fb31::getLoader();
+return ComposerAutoloaderInit::getLoader();

rest-api-guard/tags/1.2.0/vendor/composer/autoload_real.php

@@ -3 +3 @@
 // autoload_real.php @generated by Composer
 
-class ComposerAutoloaderInitb3808e08bff289327297fb981027fb31
+class ComposerAutoloaderInit
 {
     private static $loader;
@@ -25 +25 @@
         require __DIR__ . '/platform_check.php';
 
-        spl_autoload_register(array('ComposerAutoloaderInitb3808e08bff289327297fb981027fb31', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit', 'loadClassLoader'), true, true);
         self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__));
-        spl_autoload_unregister(array('ComposerAutoloaderInitb3808e08bff289327297fb981027fb31', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit', 'loadClassLoader'));
 
         require __DIR__ . '/autoload_static.php';
-        call_user_func(\Composer\Autoload\ComposerStaticInitb3808e08bff289327297fb981027fb31::getInitializer($loader));
+        call_user_func(\Composer\Autoload\ComposerStaticInit::getInitializer($loader));
 
         $loader->register(true);

rest-api-guard/tags/1.2.0/vendor/composer/autoload_static.php

@@ -5 +5 @@
 namespace Composer\Autoload;
 
-class ComposerStaticInitb3808e08bff289327297fb981027fb31
+class ComposerStaticInit
 {
     public static $prefixLengthsPsr4 = array (
@@ -28 +28 @@
     {
         return \Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInitb3808e08bff289327297fb981027fb31::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInitb3808e08bff289327297fb981027fb31::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInitb3808e08bff289327297fb981027fb31::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit::$classMap;
 
         }, null, ClassLoader::class);

rest-api-guard/tags/1.2.0/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => '1.0.0+no-version-set',
         'version' => '1.0.0.0',
-        'reference' => NULL,
+        'reference' => ,
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => '1.0.0+no-version-set',
             'version' => '1.0.0.0',
-            'reference' => NULL,
+            'reference' => ,
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',

rest-api-guard/trunk/.distignore

@@ +1 @@
+
 .DS_Store
 Thumbs.db
@@ -21 +22 @@
 Makefile
 .github
+

rest-api-guard/trunk/.gitignore

@@ +1 @@
+
 .DS_Store
 Thumbs.db

rest-api-guard/trunk/CHANGELOG.md

@@ -2 +2 @@
 
 All notable changes to `wp-rest-guard` will be documented in this file.
+
+
+
+
+
+
 
 ## v1.1.1 - 2024-01-15

rest-api-guard/trunk/README.md

@@ -1 +1 @@
 # REST API Guard
 
-Stable tag: 1.1.2
+Stable tag: 1.
 
 Requires at least: 6.0
@@ -57 +57 @@
 ### Preventing Access to Index (`/`) or Namespace Endpoints (`wp/v2`)
 
-To prevent anonymous users from browing your site and discovering what plugins/post types are setup, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:
+To prevent anonymous users from browup, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:
 
 ```php
@@ -119 +119 @@
 ```
 
-### Require JSON Web Token (JWT) Authentication
+### Require JSON Web Token (JWT) Authentication
 
 Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
-access the REST API. This can be configured in the plugin's settings or via
-code:
+access the REST API. 
+code:
 
 ```php
@@ -135 +135 @@
 
 ```php
-add_filter(
-    'rest_api_guard_jwt_audience',
-    function ( string $audience ): string {
-        return 'custom-audience';
-    }
-);
+add_filter( 'rest_api_guard_jwt_audience', fn ( string $audience ) => 'custom-audience' );
 
-add_filter(
-    'rest_api_guard_jwt_issuer',
-    function ( string $issuer ): string {
-        return 'https://example.com';
-    }
-);
+add_filter( 'rest_api_guard_jwt_issuer', fn ( string $issuer ) => 'https://example.com' );
 ```
 
@@ -154 +144 @@
 
 ```php
-add_filter(
-    'rest_api_guard_jwt_secret',
-    function ( string $secret ): string {
-        return 'my-custom-secret';
-    }
+add_filter( 'rest_api_guard_jwt_secret', fn ( string $secret ) => 'my-custom-secret' );
+```
+
+### Allow JWT Authentication for Authenticated Users
+
+Authenticated users can be authenticated with the REST API via a JSON Web Token.
+Similar to the anonymous JWT authentication, users should pass an
+`Authorization: Bearer <token>` header with their request. This can be
+configured in the plugin's settings or via code:
+
+```php
+add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
+```
+
+### Generating JWTs for Anonymous and Authenticated Users
+
+JWTs can be generated by calling the `wp rest-api-guard generate-jwt [--user=<user_id>]`
+command or using the `Alley\WP\REST_API_Guard\generate_jwt()` method:
+
+```php
+$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
+    expiration: 3600, // Optional. The expiration time in seconds from now.
+    user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
 );
 ```
-
-You can generate a JWT for use with the REST API by calling the
-`wp rest-api-guard generate-jwt` command.
 
 ## Testing

rest-api-guard/trunk/cli.php

@@ -10 +10 @@
 WP_CLI::add_command(
     'rest-api-guard generate-jwt',
-    function () {
-        echo generate_jwt() . PHP_EOL; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+    function ( $args, $assoc_args ) {
+        $expiration = isset( $assoc_args['expiration'] ) ? (int) $assoc_args['expiration'] : null;
+        $user       = isset( $assoc_args['user'] ) ? (int) $assoc_args['user'] : null;
+
+        echo generate_jwt( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+            expiration: $expiration,
+            user: $user,
+        ) . PHP_EOL;
     },
     [
         'shortdesc' => __( 'Generate a JSON Web Token (JWT).', 'rest-api-guard' ),
-    ]
+        'synopsis'  => '[--expiration=<expiration>] [--user=<user>]',
+    ],
 );

rest-api-guard/trunk/composer.json

@@ -24 +24 @@
         "alleyinteractive/alley-coding-standards": "^2.0",
         "alleyinteractive/composer-wordpress-autoloader": "^1.0",
-        "mantle-framework/testkit": "^0.7",
-        "nunomaduro/collision": "^5.0"
+        "mantle-framework/testkit": "^1.0"
     },
     "config": {
@@ -32 +31 @@
             "dealerdirect/phpcodesniffer-composer-installer": true,
             "pestphp/pest-plugin": true
-        },
-        "platform": {
-            "php": "8.0"
         },
         "sort-packages": true

rest-api-guard/trunk/plugin.php

@@ -4 +4 @@
  * Plugin URI: https://github.com/alleyinteractive/wp-rest-api-guard
  * Description: Restrict and control access to the REST API
- * Version: 1.1.2
+ * Version: 1.
  * Author: Sean Fisher
  * Author URI: https://alley.co/
@@ -24 +24 @@
 use WP_REST_Request;
 use WP_REST_Server;
+
 
 if ( ! defined( 'ABSPATH' ) ) {
@@ -59 +60 @@
     }
 
-    /**
-     * Check if the anonymous request requires a JSON Web Token (JWT).
-     *
-     * @param bool             $require Whether to require a JWT, default false.
-     * @param \WP_REST_Request $request REST API Request.
-     */
-    if ( class_exists( JWT::class ) && true === apply_filters( 'rest_api_guard_authentication_jwt', $settings['authentication_jwt'] ?? false, $request ) ) {
-        try {
-            $jwt = $request->get_header( 'Authorization' );
-
-            if ( empty( $jwt ) ) {
-                throw new InvalidArgumentException( __( 'No authorization header was found.', 'rest-api-guard' ) );
-            }
-
-            if ( 0 !== strpos( $jwt, 'Bearer ' ) ) {
-                throw new InvalidArgumentException( __( 'Invalid authorization header.', 'rest-api-guard' ) );
-            }
-
-            $decoded = JWT::decode(
-                substr( $jwt, 7 ),
-                new Key( get_jwt_secret(), 'HS256' ),
-            );
-
-            // Verify the contents of the JWT.
-            if ( empty( $decoded->iss ) || get_jwt_issuer() !== $decoded->iss ) {
-                throw new InvalidArgumentException( __( 'Invalid JWT issuer.', 'rest-api-guard' ) );
-            }
-
-            if ( empty( $decoded->aud ) || get_jwt_audience() !== $decoded->aud ) {
-                throw new InvalidArgumentException( __( 'Invalid JWT audience.', 'rest-api-guard' ) );
-            }
-        } catch ( \Exception $error ) {
-            return new WP_Error(
-                'rest_api_guard_unauthorized',
-                /**
-                 * Filter the authorization error message.
-                 *
-                 * @param string     $message The error message.
-                 * @param \Throwable $error The error that occurred.
-                 */
-                apply_filters(
-                    'rest_api_guard_invalid_jwt_message',
-                    __( 'Invalid authorization header.', 'rest-api-guard' ),
-                    $error,
-                ),
-                [
-                    'status' => rest_authorization_required_code(),
-                ]
-            );
+    if ( class_exists( JWT::class ) ) {
+        /**
+         * Check if the anonymous request requires a JSON Web Token (JWT).
+         *
+         * @param bool             $require Whether to require a JWT, default false.
+         * @param \WP_REST_Request $request REST API Request.
+         */
+        $require_anonymous_jwt = true === apply_filters( 'rest_api_guard_authentication_jwt', $settings['authentication_jwt'] ?? false, $request );
+        $allow_user_jwt        = true === apply_filters( 'rest_api_guard_user_authentication_jwt', $settings['user_authentication_jwt'] ?? false, $request );
+
+        if ( $require_anonymous_jwt || $allow_user_jwt ) {
+            try {
+                $jwt = $request->get_header( 'Authorization' );
+
+                if ( empty( $jwt ) && $require_anonymous_jwt ) {
+                    throw new InvalidArgumentException( __( 'No authorization header token was found and is required for this request.', 'rest-api-guard' ) );
+                }
+
+                if ( ! empty( $jwt ) ) {
+                    if ( 0 !== strpos( $jwt, 'Bearer ' ) ) {
+                        throw new InvalidArgumentException( __( 'Invalid authorization header.', 'rest-api-guard' ) );
+                    }
+
+                    $decoded = JWT::decode(
+                        substr( $jwt, 7 ),
+                        new Key( get_jwt_secret(), 'HS256' ),
+                    );
+
+                    // Verify the contents of the JWT.
+                    if ( empty( $decoded->iss ) || get_jwt_issuer() !== $decoded->iss ) {
+                        throw new InvalidArgumentException( __( 'Invalid JWT issuer.', 'rest-api-guard' ) );
+                    }
+
+                    if ( empty( $decoded->aud ) || get_jwt_audience() !== $decoded->aud ) {
+                        throw new InvalidArgumentException( __( 'Invalid JWT audience.', 'rest-api-guard' ) );
+                    }
+
+                    if ( $allow_user_jwt && ! empty( $decoded->sub ) ) {
+                        $user = get_user_by( 'id', $decoded->sub );
+
+                        if ( ! $user instanceof WP_User ) {
+                            throw new InvalidArgumentException( __( 'Invalid user in JWT sub.', 'rest-api-guard' ) );
+                        }
+
+                        wp_set_current_user( $user->ID );
+
+                        return false;
+                    }
+                }
+            } catch ( \Exception $error ) {
+                return new WP_Error(
+                    'rest_api_guard_unauthorized',
+                    /**
+                     * Filter the authorization error message.
+                     *
+                     * @param string     $message The error message being returned.
+                     * @param \Throwable $error The error that occurred.
+                     */
+                    apply_filters(
+                        'rest_api_guard_invalid_jwt_message',
+                        sprintf(
+                            /* translators: %s: The error message. */
+                            __( 'Error authentication with token: %s', 'rest-api-guard' ),
+                            $error->getMessage(),
+                        ),
+                        $error,
+                    ),
+                    [
+                        'status' => rest_authorization_required_code(),
+                    ]
+                );
+            }
         }
     }
@@ -284 +308 @@
     // Generate the JWT secret if it does not exist.
     if ( empty( get_option( 'rest_api_guard_jwt_secret' ) ) ) {
-        update_option( 'rest_api_guard_jwt_secret', wp_generate_password( 12, false ) );
+        update_option( 'rest_api_guard_jwt_secret', wp_generate_password( 2, false ) );
     }
 
@@ -298 +322 @@
  * Generate a JSON Web Token (JWT).
  *
+
+
+
+
  * @return string
- */
-function generate_jwt(): string {
-    return JWT::encode(
-        [
-            'iss' => get_jwt_issuer(),
-            'aud' => get_jwt_audience(),
-            'iat' => time(),
-        ],
-        get_jwt_secret(),
-        'HS256'
-    );
+ *
+ * @throws InvalidArgumentException If the user is invalid or unknown.
+ */
+function generate_jwt( ?int $expiration = null, WP_User|int|null $user = null ): string {
+    $payload = [
+        'iss' => get_jwt_issuer(),
+        'aud' => get_jwt_audience(),
+        'iat' => time(),
+    ];
+
+    if ( null !== $expiration ) {
+        $payload['exp'] = time() + $expiration;
+    }
+
+    if ( null !== $user ) {
+        $user = $user instanceof WP_User ? $user : get_user_by( 'id', $user );
+
+        if ( ! $user instanceof WP_User ) {
+            throw new InvalidArgumentException( esc_html__( 'Invalid user.', 'rest-api-guard' ) );
+        }
+
+        $payload['sub']        = $user->ID;
+        $payload['user_login'] = $user->user_login;
+    }
+
+    return JWT::encode( $payload, get_jwt_secret(), 'HS256' );
 }
 

rest-api-guard/trunk/readme.txt

@@ -1 +1 @@
 === REST API Guard ===
-Stable tag: 1.1.2
+Stable tag: 1.
 Requires at least: 6.0
 Tested up to: 6.3
@@ -72 +72 @@
 ### Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)
 
-Anonymous users can be restricted from specific namespaces/routes. This acts as a denylist for specific paths that an anonymous user cannot access. The paths support regular expressions for matching. The use of the [Allowlist](#limit-anonymous-access-to-specific-namespacesroutes-allowlist) takes priority over this denylist. This can be configured in the plugin's settings or via code:
+Anonymous users can be restricted from specific namespaces/routes. This acts as
+a denylist for specific paths that an anonymous user cannot access. The paths
+support regular expressions for matching. The use of the allowlist takes
+priority over this denylist. This can be configured in the plugin's settings or
+via code:
 
     add_filter(
@@ -89 +93 @@
 
 Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
-access the REST API. This can be configured in the plugin's settings or via
-code:
+access the REST API. 
+code:
 
-```php
-add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
-```
+    add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
 
 Out of the box, the plugin will look for a JWT in the `Authorization: Bearer
-<token>` header. The JWT will be expected to have an audience of 'wordpress-rest-api' and issuer of the site's URL. This can be configured in the plugin's settings or via code:
+<token>` header. The JWT will be expected to have an audience of
+'wordpress-rest-api' and issuer of the site's URL. This can be configured in the
+plugin's settings or via code:
 
-```php
-add_filter(
-    'rest_api_guard_jwt_audience',
-    function ( string $audience ): string {
-        return 'custom-audience';
-    }
-);
+    add_filter(
+        'rest_api_guard_jwt_audience',
+        function ( string $audience ): string {
+            return 'custom-audience';
+        }
+    );
 
-add_filter(
-    'rest_api_guard_jwt_issuer',
-    function ( string $issuer ): string {
-        return 'https://example.com';
-    }
-);
-```
+    add_filter(
+        'rest_api_guard_jwt_issuer',
+        function ( string $issuer ): string {
+            return 'https://example.com';
+        }
+    );
 
 The JWT's secret will be autogenerated and stored in the database in the
 `rest_api_guard_jwt_secret` option. The secret can also be changed via code:
 
-```php
-add_filter(
-    'rest_api_guard_jwt_secret',
-    function ( string $secret ): string {
-        return 'my-custom-secret';
-    }
-);
-```
+    add_filter(
+        'rest_api_guard_jwt_secret',
+        function ( string $secret ): string {
+            return 'my-custom-secret';
+        }
+    );
 
-You can generate a JWT for use with the REST API by calling the
-`wp rest-api-guard generate-jwt` command.
+### Allow JWT Authentication for Authenticated Users
+
+Authenticated users can be authenticated with the REST API via a JSON Web Token.
+Similar to the anonymous JWT authentication, users should pass an
+`Authorization: Bearer <token>` header with their request. This can be
+configured in the plugin's settings or via code:
+
+    add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
+
+### Generating JWTs for Anonymous and Authenticated Users
+
+JWTs can be generated by calling the
+`wp rest-api-guard generate-jwt [--user=<user_id>]` command or using the
+`Alley\WP\REST_API_Guard\generate_jwt()` method:
+
+    $jwt = \Alley\WP\REST_API_Guard\generate_jwt(
+        expiration: 3600, // Optional. The expiration time in seconds from now.
+        user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
+    );

rest-api-guard/trunk/settings.php

@@ -28 +28 @@
  */
 function on_admin_menu() {
+
+
+
+
+
+
+
+
+
     add_options_page(
         __( 'REST API Guard', 'rest-api-guard' ),
@@ -176 +185 @@
                 'additional'  => sprintf(
                     /* translators: 1: The JWT audience. 2: The JWT issuer. */
-                    __( 'When enabled, the plugin will require anonymous users to pass an "Authorization: Bearer <token>" with the token being a valid JSON Web Token (JWT). The plugin will be expecting a JWT with an audience of "%1$s", issuer of "%2$s", and secret that matches the value of the "rest_api_guard_jwt_secret" option.', 'rest-api-guard' ),
+                    __( 'When enabled, the plugin will require anonymous users to pass an "Authorization: Bearer <token>" with the token being a valid JSON Web Token (JWT). The plugin will be expecting a JWT with an audience of "%1$s", issuer of "%2$s", and secret that matches the value of the "rest_api_guard_jwt_secret" option.', 'rest-api-guard' ),
                     get_jwt_audience(),
                     get_jwt_issuer(),
@@ -185 +194 @@
             ],
         );
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     }
 }
@@ -206 +235 @@
         'anonymous_requests_allowlist' => ! empty( $input['anonymous_requests_allowlist'] ) ? sanitize_textarea_field( $input['anonymous_requests_allowlist'] ) : '',
         'anonymous_requests_denylist'  => ! empty( $input['anonymous_requests_denylist'] ) ? sanitize_textarea_field( $input['anonymous_requests_denylist'] ) : '',
+
+
     ];
 }

rest-api-guard/trunk/vendor/autoload.php

@@ -23 +23 @@
 require_once __DIR__ . '/composer/autoload_real.php';
 
-return ComposerAutoloaderInitb3808e08bff289327297fb981027fb31::getLoader();
+return ComposerAutoloaderInit::getLoader();

rest-api-guard/trunk/vendor/composer/autoload_real.php

@@ -3 +3 @@
 // autoload_real.php @generated by Composer
 
-class ComposerAutoloaderInitb3808e08bff289327297fb981027fb31
+class ComposerAutoloaderInit
 {
     private static $loader;
@@ -25 +25 @@
         require __DIR__ . '/platform_check.php';
 
-        spl_autoload_register(array('ComposerAutoloaderInitb3808e08bff289327297fb981027fb31', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit', 'loadClassLoader'), true, true);
         self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__));
-        spl_autoload_unregister(array('ComposerAutoloaderInitb3808e08bff289327297fb981027fb31', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit', 'loadClassLoader'));
 
         require __DIR__ . '/autoload_static.php';
-        call_user_func(\Composer\Autoload\ComposerStaticInitb3808e08bff289327297fb981027fb31::getInitializer($loader));
+        call_user_func(\Composer\Autoload\ComposerStaticInit::getInitializer($loader));
 
         $loader->register(true);

rest-api-guard/trunk/vendor/composer/autoload_static.php

@@ -5 +5 @@
 namespace Composer\Autoload;
 
-class ComposerStaticInitb3808e08bff289327297fb981027fb31
+class ComposerStaticInit
 {
     public static $prefixLengthsPsr4 = array (
@@ -28 +28 @@
     {
         return \Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInitb3808e08bff289327297fb981027fb31::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInitb3808e08bff289327297fb981027fb31::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInitb3808e08bff289327297fb981027fb31::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit::$classMap;
 
         }, null, ClassLoader::class);

rest-api-guard/trunk/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => '1.0.0+no-version-set',
         'version' => '1.0.0.0',
-        'reference' => NULL,
+        'reference' => ,
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => '1.0.0+no-version-set',
             'version' => '1.0.0.0',
-            'reference' => NULL,
+            'reference' => ,
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',