From 7cf476eb5838ad76b590b3a2594d143c69ace41f Mon Sep 17 00:00:00 2001 From: Egidio CORICA Date: Tue, 17 Feb 2026 14:15:07 +0100 Subject: [PATCH] fix authentication check for REST API --- classes/helpers.php | 66 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 58 insertions(+), 8 deletions(-) diff --git a/classes/helpers.php b/classes/helpers.php index 81529b9..0fb04ce 100644 --- a/classes/helpers.php +++ b/classes/helpers.php @@ -21,7 +21,7 @@ class Helpers { public static function is_maintenance_mode() { $is_maintenance_mode = true; - if ( is_user_logged_in() ) { + if ( self::is_user_authenticated() ) { $is_maintenance_mode = false; } @@ -36,13 +36,63 @@ public static function is_maintenance_mode() { return apply_filters( 'beapi.maintenance_mode.is_maintenance_mode', $is_maintenance_mode ); } + /** + * Check if the current user is authenticated. + * This method handles both regular requests and REST API requests. + * + * @return bool + * @since 2.1.1 + */ + public static function is_user_authenticated() { + // For regular requests, check if user is logged in. + if ( is_user_logged_in() ) { + return true; + } + + // For REST API requests, we need to check authentication differently + // because is_user_logged_in() may not work correctly at this point. + if ( ! defined( 'REST_REQUEST' ) || ! REST_REQUEST ) { + return false; + } + + // Try to get current user (this works even for REST API). + $user = wp_get_current_user(); + if ( $user && $user->ID > 0 ) { + return true; + } + + // Check if there's a valid authentication cookie. + // This is useful when cookies are sent but not yet processed. + if ( ! defined( 'LOGGED_IN_COOKIE' ) || empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { + return false; + } + + $cookie = wp_parse_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' ); + if ( empty( $cookie['username'] ) || empty( $cookie['expiration'] ) ) { + return false; + } + + // Verify the cookie is still valid by checking expiration. + if ( $cookie['expiration'] <= time() ) { + return false; + } + + // Verify the user exists. + $user = get_user_by( 'login', $cookie['username'] ); + if ( ! $user || $user->ID <= 0 ) { + return false; + } + + return true; + } + /** * Check if the current IP is in whitelist * * @return bool + * @author Maxime CULEA * @since 1.0.0 * - * @author Maxime CULEA */ public static function is_allowed_ip() { /** @@ -51,15 +101,15 @@ public static function is_allowed_ip() { * @params array $whitelist_ips : Array of allowed ips * * @return array + * @author Maxime CULEA * @since 1.0.0 * - * @author Maxime CULEA */ $whitelist_ips = apply_filters( 'beapi.maintenance_mode.whitelist_ips', [] ); if ( empty( $whitelist_ips ) ) { // No whitelist, then nobody is allowed return false; } - + // Get user IP $current_ip = isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : ''; if ( empty( $current_ip ) ) { @@ -86,9 +136,9 @@ public static function is_allowed_ip() { * Check if during multisite process to avoid not maintenance mode or not * * @return bool + * @author Maxime CULEA * @since 1.0.0 * - * @author Maxime CULEA */ public static function is_ms_activate() { if ( empty( $_SERVER['SCRIPT_NAME'] ) ) { @@ -104,9 +154,9 @@ public static function is_ms_activate() { * @param $matches * * @return string + * @author Nicolas Juen * @since 1.0.0 * - * @author Nicolas Juen */ private static function maintenance_replace_ip( $matches ) { return sprintf( '%03d', $matches[1] ); @@ -116,9 +166,9 @@ private static function maintenance_replace_ip( $matches ) { * Get the maintenance template path * * @return string + * @author Maxime CULEA * @since 1.0.0 * - * @author Maxime CULEA */ public static function get_template_path() { $default = BEAPI_MAINTENANCE_MODE_DIR . 'templates/maintenance.php'; @@ -129,9 +179,9 @@ public static function get_template_path() { * @params string $default : The path to the custom template * * @return array + * @author Maxime CULEA * @since 1.0.0 * - * @author Maxime CULEA */ $template = apply_filters( 'beapi.maintenance_mode.template.path', $default ); if ( empty( $template ) || ! is_file( $template ) ) {