rest api – How to block external access to register_rest_route callback?

Question

I’m creating a new API route that allows me to update a plugin database entries on custom table from an external application (below the code). My code seems to work, but I need an advice on how to block requests that don’t belong to my app, in order to prevent an arbitrary user that discovers the route and knows for example how to use postman could edit the database. I was thinking to put get_http_origin() on the top of the register_rest_route callback function, comparing the origin of the request with a fixed string I know being the legitimate application. Will it work? Is there a more proficient/correct method?

class Rate_My_Post_Custom_API {
    public function __construct () {
        add_action( 'rest_api_init', array( $this, 'create_update_rating_route' ) );
    }

    public function create_update_rating_route () {
        register_rest_route( 'wp/v2', 'update-rmp', array(
            'methods' => 'POST',
            'callback' => function ( WP_REST_Request $request ) {
                global $wpdb;
                
                $request_body = json_decode( $request -> get_body() );
                $rating_table = $wpdb -> prefix . "rmp_analytics";
                $total_votes = get_post_meta( $request_body -> post_id, 'rmp_vote_count', true ) ? intval( get_post_meta( $request_body -> post_id, 'rmp_vote_count', true ) ) : 0;
                $new_votes = $total_votes + 1;
                $ratings_sum = get_post_meta( $request_body -> post_id, 'rmp_rating_val_sum', true ) ? intval( get_post_meta( $request_body -> post_id, 'rmp_rating_val_sum', true ) ) : 0;
                $new_ratings_sum = $ratings_sum + $request_body -> vote;
                $new_average = round( ( $new_ratings_sum / $new_votes ), 1 );

                update_post_meta( $request_body -> post_id, 'rmp_vote_count', $new_votes );
                update_post_meta( $request_body -> post_id, 'rmp_rating_val_sum', $new_ratings_sum );

                $rating_updated = $wpdb -> insert( $rating_table, array(
                    'time' => current_time( 'mysql' ),
                    'ip' => '-1',
                    'country' => '0',
                    'user' => $request_body -> user_id,
                    'post' => $request_body -> post_id,
                    'action' => '1',
                    'duration' => '1',
                    'average' => $new_average,
                    'votes' => $new_votes,
                    'value' => $request_body -> vote,
                    'token' => '-1',
                ) );

                if ( $rating_updated ) :
                    return rest_ensure_response( 'New rating registered.' );
                else :
                    return rest_ensure_response( 'Error in registering rating.' );  
                endif;
            },
            'permission_callback' => '__return_true'
        ) );
    }
}
new Rate_My_Post_Custom_API();

0
MKay 3 weeks 2023-01-18T04:04:20-05:00 0 Answers 0 views 0

Leave an answer

Browse
Browse