Allow REST API Endpoint to specific user and hide from public

So I've been working on trying to figure this out, but I can't seem to get the right answer or even find docs online regarding this issue, so I'm reaching out to the community to see if I can get some assistance.

So I have the following RestRoutes class:

class RestRoutes
{
    private string $namespace;
    private string $resource;

    public function __construct()
    {
        $this-namespace = 'twitter/v1';
        $this-resource = '/posts/';
        $this-init();
    }

    public function init(): void
    {
        add_action('rest_api_init', [$this, 'register_rest_route']);
    }

    public function register_rest_route(): void
    {
        register_rest_route(
            $this-namespace,
            $this-resource,
            [
                'methods'  = 'GET',
                'callback' = [$this, 'twitter_posts'],
                'permission_callback' = '__return_true'
            ]
        );
    }

    public function twitter_posts(): WP_REST_Response|array
    {
        $data = get_transient('twitter_socialapi_data');
        if (!empty($data)) {
            return $data;
        }
        try {
            $response = Twitter::init()-get_profile_tweets(50);
            if (empty($response)) {
                return [];
            }
            $tweets = [];
            foreach ($response as $tweet) {
                $tweets[] = [
                    'id' = $tweet-get_id(),
                    'text' = $tweet-get_body(),
                    'link' = $tweet-get_tweet_link(),
                    'profile_image_url' = $tweet-user()-get_image_url(),
                    'profile_url' = $tweet-user()-get_url(),
                    'name' = $tweet-user()-get_name(),
                    'username' = $tweet-user()-get_username(),
                    'created_at' = $tweet-get_created_at()-format('h:i A · F d, Y')
                ];
            }
            set_transient('twitter_socialapi_data', $tweets, 3 * HOUR_IN_SECONDS);
        } catch(Exception $e) {
            return [];
        }

        return $tweets;
    }
}

Which when I go to the following endpoint https://twitter.test.com.local/wp-json/twitter/v1/posts, I get data:

[{id:1491469724835889154,text:RT a href=\https:\/\/twitter.com\/FOXSoccer\ title=\FOXSoccer\ target=\_blank\@FOXSoccer\/a: What a save from Al Hilal's Al-Mayouf !\ud83e\udde4 a href=\https:\/\/t.co\/D7p4vwIn44\ target=\_blank\\/aimg class=\tweet-photo\ src=\https:\/\/pbs.twimg.com\/media\/FLLDiZnXEAY38Wu.jpg\ style=\width: 100%; margin-top: 11px; border-radius: 12px\ \/}]

As it currently sits, ANYONE with the endpoint can make requests.

How does one make the endpoint private to just a specific user?

I have a WordPress user called source and I've already added the application password, as shown below:

Does anyone know how to properly allow only the specific user to make the request? Use Basic Authentication within Postman, etc..

Thanks all!

Topic wp-api rest-api api plugin-development Wordpress

Category Web

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.