openid-connect-generic WordPress Public APIs (REST/XMLRPC/GraphQL?) Should be Protected When Privacy Mode is Turned On

WordPress Public APIs (REST/XMLRPC/GraphQL?) Should be Protected When Privacy Mode is Turned On

Open timnolte opened this issue 1 year ago • 0 comments

Describe the bug Currently when the Privacy mode is turned on to put the entire site behind OIDC authentication this only protects standard web requests. Currently, the REST(and presumably others) endpoints are still publicly exposed.

To Reproduce Steps to reproduce the behavior:

Turn on "Enforce Privacy" in the plugin settings.
Access /wp-json/wp/v2/posts
Confirm that the content is loaded without any access restrictions.

Expected behavior The API endpoints should return a 403 forbidden when a user isn't authenticated already via the IDP.

Isolating the problem (mark completed items with an [x]):

[x] I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
[x] This bug happens with a default WordPress theme active.
[x] I can reproduce this bug consistently using the steps above.

WordPress Environment

Plugin Version: All versions
Identity Provider: Any
Relevant Plugin Settings: "Enforce Privacy" enabled

Dec 22 '23 18:12 timnolte

openid-connect-generic openid-connect-generic copied to clipboard

WordPress Public APIs (REST/XMLRPC/GraphQL?) Should be Protected When Privacy Mode is Turned On

openid-connect-generic
openid-connect-generic copied to clipboard