get_header('X-API-Key'); if (!empty($key)) return $key; // 2. Authorization: Bearer $auth = $request->get_header('Authorization'); if (!empty($auth)) { $parts = explode(' ', $auth); if (count($parts) === 2 && strtolower($parts[0]) === 'bearer') { return $parts[1]; } } // 3. Query parameter $key = $request->get_param('api_key'); if (!empty($key)) return $key; // 4. Server variable (proxy) if (!empty($_SERVER['HTTP_X_API_KEY'])) { return $_SERVER['HTTP_X_API_KEY']; } return null; } /** * Permission callback for REST API routes * * @param \WP_REST_Request $request * @return bool|\WP_Error */ public static function check_permission($request) { $api_key = self::extract_key_from_request($request); if (empty($api_key)) { return new \WP_Error( 'rest_forbidden', 'API key is required. Provide via X-API-Key header or api_key parameter.', ['status' => 401] ); } if (!self::validate_api_key($api_key)) { return new \WP_Error( 'rest_forbidden', 'Invalid API key.', ['status' => 403] ); } return true; } /** * Check if current request targets our API endpoints */ public static function is_wpu_api_request() { $uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : ''; return strpos($uri, '/wpu/') !== false; } }