How to restrict REST API

normal login works with no issues, but Social Login has a redaction issue

https://mydomain/account/login/?redirect=https%3A%2F%2Fmydomain%2Faccount%2F

Users cannot log in using the Social Login, but it doesn’t matter what option they use :frowning: they will be stuck in this infinite redirect loop.

Info

  • HivePress Social Login: Version 1.0.3
  • HivePress: Version 1.7.1

401 Error on API

{
    "code": "rest_cannot_access",
    "message": "Only logged-in users can access the User endpoint REST API.",
    "data": {
        "status": 401
    }
}

This is something that started recently. I noticed this after I disabled the Rest API for WordPress because having the Rest API open is a huge security issue.

Security and API’s

It appears that the issue is caused by the plugin using an insecure way to connect with the API, which requires the user endpoints to remain open for the plugin to function. However, this can lead to critical privacy concerns as it leaves the users’ APIs exposed, allowing unauthorized users to scrape all the data from the WordPress website about the users.

https://mydomain/wp-json/wp/v2/users

Please try restricting specific REST API endpoints (like the user search one), restricting the whole REST API may break HivePress features because it relies on WordPress API (e.g. all the form requests made via REST API). The social login should be ok since there’s a redirect URL and not the REST API one, but in any case REST API is a core WordPress feature and we can’t fix issues related to disabling it since HivePress also relies on it.

Thanks for the help,
What things or paths do I need to include to make sure that my login for Hivepress won’t get cashed? my plugin is Hummingbird and I also have Cloudflare for my WordPress

URL Strings

https:\/\/mydomain/#user_*
https:\/\/mydomain\.co\.il\/.*\/#user_*

https:\/\/mydomain\/account\/*
https:\/\/mydomain\/my-account\/*

Right now, I have an issue: logged-in users are not visible on the home page, which is causing them to be confused… I think that this is related to cash issues.

I want to use a plugin like

What REST API does HivePress need?

At the end of the day, the users endpoint doesn’t have that much info…

  • id: User ID.
  • name: Username.
  • description: User description.
  • link: Link to the user’s profile page.
  • slug: User’s slug (URL-friendly version of the username).
  • avatar_urls: URLs to the user’s avatar images.
  • meta: Additional user metadata (empty in the provided examples).
  • is_super_admin: Indicates whether the user is a super admin (typically used in multisite installations).
  • woocommerce_meta: WooCommerce-related metadata (empty in the provided examples).
  • _links: Links to the user’s self and collection resources.

Sorry, I can’t recommend anything specific regarding disabling REST API, I’d recommend leaving it as is. HivePress registers its REST endpoints using this function register_rest_route() – Function | Developer.WordPress.org All endpoints start with the “hivepress/” prefix, maybe there’s a way to block all endpoints except those starting with “hivepress/” but this would probably break other WordPress features, such as the block editor.

I fixed the first issue, and now standard login and registration is working.

I can’t fix this issue, no matter what I do
disabled chasing, 3rd party plugins, the login doesn’t work

due to the strict data protection policy, I can’t allow access to any one of your team to join and check our website

Hi,

Please provide more details about the login method you are testing (and in which extension), and we will try to help. Also, this issue looks like a cache issue, so I recommend checking the cache settings and clearing it additionally. Please create a new topic and describe this issue so that we can investigate it in more detail.

P.S. If you purchased a theme or extension, please enter the license key in the forum profile settings, this will enable the Premium Support badge and ensure a 24-hour turnaround time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.