Replies: 0
I can’t tell if it’s possible but I’m using Cookie authentication with the REST API on a custom post type with posts that are published, but password-protected. When I’m logged in I can use the API to update a postmeta field, but if not logged in I get a 401 error that I’m not authorized.
My users will have the password to the protected post to view its content, and I want them to be able to trigger the postmeta update without having to create accounts. Is there a way to use the wp-postpass_{HASH_GOES_HERE} cookie that wordpress sets to authenticate through the REST API to allow something like this.
I understand that a post password isn’t as secure as a user name / pw login, but this doesn’t need to be secure from hostile state actors, just a small hurdle to prevent nosy neighbors from peeking and the page is served over https so it should be tough to grab the page pw just by intercepting the request.
Is it possible to allow API requests to edit with POST, PATCH, or PUT with a user only having a post password access but not being logged in?