php – Flatten Responses returned via WP REST API via WP_Error for obfuscation
According to this; I’m setting up the REST API of a website project.
I’m returning the
WP_Rest_Response for no matter which request in every possible end, with an according http status code, etc; no matter what happens in the request (If errors occur, I return a
WP_Rest_Response object with an according error feedback, and if everything works, I return a
WP_Rest_Response with an according positive feedback).
The API Calls all work perfectly.
My problem now is that, let’s say your
validate_callback that you can provide to your
args when using
register_rest_route, fails. Indicating that any of your validations reported a failed validation with a variable.
This seems to, according to the source code I’ve checked within
wp-includes/rest-api/class-wp-rest-response, generate and then output a
WP_Error object, with really all of the details, explaining precisely why the request failed (In this case for example that “parameter ‘x’ is not valid”).
Same happens for example if you have not provided all of the arguments you list as
required for a given endpoint.
My question now is, is there some kind of wp filter or a hook to tell that in this case, we should simply output the HTTP status to the client, and no more details? I just feel that it’s unnecessary to explain where exactly a validation failed, in production code. Especially as this is a safety feature, I feel you should tell your potential attackers as less as possible about your defense mechanisms, or at least reduce the hints you provide to a minimum.
The only thing that I could find so far in this sense is the
_fields parameter; but yeah this filter is set on the client-side and is thus easy to manipulate. I know that the linked page says that it’s not recommended to change the responses; but I just wondered if they haven’t prepared a filter that you can scope to a custom REST namespace, or similar..?