Merge pull request WP-API#9 from WP-API/avoid-infinite-recursion

Avoid attempting to authenticate on internal requests

Author: rmccue

lib/class-wp-json-authentication-oauth1.php

@@ -27,6 +27,14 @@ class WP_JSON_Authentication_OAuth1 extends WP_JSON_Authentication {
 	 */
 	protected $auth_status = null;
 
+	/**
+	 * Should we attempt to run?
+	 *
+	 * Stops infinite recursion in certain circumstances.
+	 * @var boolean
+	 */
+	protected $should_attempt = true;
+
 	/**
 	 * Parse the Authorization header into parameters
 	 *
@@ -129,7 +137,7 @@ public function get_parameters( $require_token = true, $extra = array() ) {
 	 * @return WP_User|null|WP_Error Authenticated user on success, null if no OAuth data supplied, error otherwise
 	 */
 	public function authenticate( $user ) {
-		if ( ! empty( $user ) ) {
+		if ( ! empty( $user ) || ! $this->should_attempt ) {
 			return $user;
 		}
 

lib/class-wp-json-authentication.php

@@ -31,6 +31,8 @@ public function __construct() {
 	abstract public function authenticate( $user );
 
 	public function get_consumer( $key ) {
+		$this->should_attempt = false;
+
 		$query = new WP_Query();
 		$consumers = $query->query( array(
 			'post_type' => 'json_consumer',
@@ -47,6 +49,8 @@ public function get_consumer( $key ) {
 			),
 		) );
 
+		$this->should_attempt = true;
+
 		if ( empty( $consumers ) || empty( $consumers[0] ) )
 			return new WP_Error( 'json_consumer_notfound', __( 'Consumer Key is invalid' ), array( 'status' => 401 ) );