Always verify the token, if provided

jkmassel · jkmassel · commit 2cdbd5509600 · 2019-04-24T20:24:13.000-06:00
Per #5 (comment)
diff --git a/wp-includes/rest-api/auth/class-wp-rest-token.php b/wp-includes/rest-api/auth/class-wp-rest-token.php
@@ -272,10 +272,11 @@ public function require_token() {
 			$require_token = false;
 		}
 
-		// GET requests do not require authentication, but if a valid token is provided, requests should
+		// GET requests do not require authentication, but if
+		// the Authorization header is provided, requests should
 		// be performed as the user corresponding to that token.
-		if ( 'GET' === $request_method && is_wp_error( $this->validate_token() ) ) {
-			$require_token = false;
+		if ( 'GET' === $request_method && ! is_wp_error( $this->get_auth_header() ) ) {
+			$require_token = true;
 		}
 
 		// Don't require authentication to generate a token.

Original file line number	Diff line number	Diff line change
`@@ -272,10 +272,11 @@ public function require_token() {`
`272`	`272`	`$require_token = false;`
`273`	`273`	`}`
`274`	`274`
`275`		`- // GET requests do not require authentication, but if a valid token is provided, requests should`
	`275`	`+ // GET requests do not require authentication, but if`
	`276`	`+ // the Authorization header is provided, requests should`
`276`	`277`	`// be performed as the user corresponding to that token.`
`277`		`- if ( 'GET' === $request_method && is_wp_error( $this->validate_token() ) ) {`
`278`		`- $require_token = false;`
	`278`	`+ if ( 'GET' === $request_method && ! is_wp_error( $this->get_auth_header() ) ) {`
	`279`	`+ $require_token = true;`
`279`	`280`	`}`
`280`	`281`
`281`	`282`	`// Don't require authentication to generate a token.`