WP blocks, raw data and the auths

I’m at the point now where I want to try parsing the raw content of the posts with the new editor / Gutenberg block data. The endpoints with posts in both the REST API and wp_graphql contain a field with the data needed but that’s only accessible to users with the edit_posts and maybe a few related capabilities.

As an aside, the field looks like this:

the content in a format readable by the block editor

Whereas the one we usually use (readable by everyone) looks like this:

the content (rendered) from a REST API post endpoint as more boring html with no html comments relating to the block editor

Going back to the original issue, I want to get the “raw” content post.content.raw in the REST API and with the node content(format: RAW) in wp_graphql. It requires the user to have edit_posts capabilities so I can’t do it without authentication.

Instead of the whole story of how I got here (it’s not only boring but goes round and round in circles) I’m going to go through what I’ve decided to do.

  • make a new user with the correct capabilities exclusively for the purpose of reading these fields. I don’t want to use my user account for this, I can do anything, I am the god of this blog and am not giving that power away to anyone.
  • make a little thing so I click a link or two in the admin area and stop that user from reading the posts and having the ability to edit posts.

I think for the most part short lived tokens / easily revokable tokens are the answer but looking at my requirements and thinking through how I would handle this in Netlify, I’m not going to do that.

Authentication and authorisation are two completely different things. In this case, it is easier and more straightforward to de-authorise the new user than revoke authentication. So that’s what I’m going to do.

For this one user, I’m going to filter the expiration bit of the token to something super long and then will switch the user’s role in wp-admin to de-authorise it if I so desire. This is as opposed to clicking a button to revoke a token. It should take the same number of clicks or maybe one more depending on how ajaxy everything is. (For other users, eg for user generated content, I would do it the normal short lived token, long lived refresh token way so that they could manage the access themselves. But this is not a real user, it’s a proxy for me albeit with fewer capabilities.)

When it comes to Netlify, I will generate the access token via Postman and store that in their environment variables place . If something goes wrong, if those credentials stored in plain text ever get stolen, I’ll change the user role or delete the user to stop it from doing any damage. This also has the benefit of being immediate, once it’s changed, it’s changed. I don’t need to wait for the token to expire.

And omg it works: here’s the repo for the plugin I made which makes a dummy user with a long lived WP_GraphQL JWT and then you can use that to pull the raw content into wherever.


The block editor consumable html but more neatly formatted than above because I got it onto my static page, YAY! But not this static page, I switched back to content(format:RENDERED) for that 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting this comment, you are agreeing to the use of Akismet which helps reduce spam. You can view Akismet’s privacy policy here. Your email, website and name are also stored on this site.