Merge pull request #16 from BeAPI/fix/authentification-rest

fix authentication check for REST API

Author: ecorica

classes/helpers.php

@@ -21,7 +21,7 @@ class Helpers {
 	public static function is_maintenance_mode() {
 		$is_maintenance_mode = true;
 
-		if ( is_user_logged_in() ) {
+		if ( self::is_user_authenticated() ) {
 			$is_maintenance_mode = false;
 		}
 
@@ -36,13 +36,63 @@ public static function is_maintenance_mode() {
 		return apply_filters( 'beapi.maintenance_mode.is_maintenance_mode', $is_maintenance_mode );
 	}
 
+	/**
+	 * Check if the current user is authenticated.
+	 * This method handles both regular requests and REST API requests.
+	 *
+	 * @return bool
+	 * @since  2.1.1
+	 */
+	public static function is_user_authenticated() {
+		// For regular requests, check if user is logged in.
+		if ( is_user_logged_in() ) {
+			return true;
+		}
+
+		// For REST API requests, we need to check authentication differently
+		// because is_user_logged_in() may not work correctly at this point.
+		if ( ! defined( 'REST_REQUEST' ) || ! REST_REQUEST ) {
+			return false;
+		}
+
+		// Try to get current user (this works even for REST API).
+		$user = wp_get_current_user();
+		if ( $user && $user->ID > 0 ) {
+			return true;
+		}
+
+		// Check if there's a valid authentication cookie.
+		// This is useful when cookies are sent but not yet processed.
+		if ( ! defined( 'LOGGED_IN_COOKIE' ) || empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
+			return false;
+		}
+
+		$cookie = wp_parse_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' );
+		if ( empty( $cookie['username'] ) || empty( $cookie['expiration'] ) ) {
+			return false;
+		}
+
+		// Verify the cookie is still valid by checking expiration.
+		if ( $cookie['expiration'] <= time() ) {
+			return false;
+		}
+
+		// Verify the user exists.
+		$user = get_user_by( 'login', $cookie['username'] );
+		if ( ! $user || $user->ID <= 0 ) {
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Check if the current IP is in whitelist
 	 *
 	 * @return bool
+	 * @author Maxime CULEA
 	 * @since  1.0.0
 	 *
-	 * @author Maxime CULEA
 	 */
 	public static function is_allowed_ip() {
 		/**
@@ -51,15 +101,15 @@ public static function is_allowed_ip() {
 		 * @params array $whitelist_ips : Array of allowed ips
 		 *
 		 * @return array
+		 * @author Maxime CULEA
 		 * @since  1.0.0
 		 *
-		 * @author Maxime CULEA
 		 */
 		$whitelist_ips = apply_filters( 'beapi.maintenance_mode.whitelist_ips', [] );
 		if ( empty( $whitelist_ips ) ) { // No whitelist, then nobody is allowed
 			return false;
 		}
-		
+
 		// Get user IP
 		$current_ip = isset( $_SERVER['REMOTE_ADDR'] ) ? $_SERVER['REMOTE_ADDR'] : '';
 		if ( empty( $current_ip ) ) {
@@ -86,9 +136,9 @@ public static function is_allowed_ip() {
 	 * Check if during multisite process to avoid not maintenance mode or not
 	 *
 	 * @return bool
+	 * @author Maxime CULEA
 	 * @since  1.0.0
 	 *
-	 * @author Maxime CULEA
 	 */
 	public static function is_ms_activate() {
 		if ( empty( $_SERVER['SCRIPT_NAME'] ) ) {
@@ -104,9 +154,9 @@ public static function is_ms_activate() {
 	 * @param $matches
 	 *
 	 * @return string
+	 * @author Nicolas Juen
 	 * @since  1.0.0
 	 *
-	 * @author Nicolas Juen
 	 */
 	private static function maintenance_replace_ip( $matches ) {
 		return sprintf( '%03d', $matches[1] );
@@ -116,9 +166,9 @@ private static function maintenance_replace_ip( $matches ) {
 	 * Get the maintenance template path
 	 *
 	 * @return string
+	 * @author Maxime CULEA
 	 * @since  1.0.0
 	 *
-	 * @author Maxime CULEA
 	 */
 	public static function get_template_path() {
 		$default = BEAPI_MAINTENANCE_MODE_DIR . 'templates/maintenance.php';
@@ -129,9 +179,9 @@ public static function get_template_path() {
 		 * @params string $default : The path to the custom template
 		 *
 		 * @return array
+		 * @author Maxime CULEA
 		 * @since  1.0.0
 		 *
-		 * @author Maxime CULEA
 		 */
 		$template = apply_filters( 'beapi.maintenance_mode.template.path', $default );
 		if ( empty( $template ) || ! is_file( $template ) ) {