WP-API · graham73may · Mar 21, 2016 · Mar 21, 2016 · Mar 21, 2016 · Jun 30, 2018
diff --git a/README.md b/README.md
@@ -32,3 +32,63 @@ $args = array(
 
 [oauth]: https://github.com/WP-API/OAuth1
 [RFC2617]: https://tools.ietf.org/html/rfc2617
+
+--- 
+
+## Forcing all API requests to require authorisation
+
+A few notes on making this work on servers with php-cgi.
+
+### .htaccess
+If you're using php-cgi you'll need to tweak the .htaccess file slightly. (more info about the issue: https://github.com/LearningLocker/learninglocker/issues/131)
+
+Change the Wordpress block in .htaccess in the root folder to: 
+
+```
+# BEGIN WordPress
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+</IfModule>
+
+# END WordPress
+```
+
+Then you'll want to stop Wordpress from overwriting this if you save permalinks. 
+
+Add this to your functions.php file: (You'll still be able to update your permalinks don't worry...)
+
+```
+// Stop WordPress from modifying .htaccess permalink rules
+add_filter('flush_rewrite_rules_hard','__return_false');
+```
+
+### Check for authorisation
+
+Now we're able to get the right headers when running php-cgi, add this to your functions.php file: 
+
+What we're doing here is returning the result if they are logging in, or returning an error if they are not logged in. 
+
+```
+// Check user is logged in before returning API results
+add_filter('rest_pre_dispatch', function ($result) {
+
+    global $DI;
+
+    if (is_user_logged_in()) {
+        return $result;
+    } else {
+        return [
+            'error_code' => 'rest_requires_authentication',
+            'message'    => 'Using REST requires authentication.',
+            'status'     => '403'
+        ];
+    }
+});
+
+
+```
diff --git a/basic-auth.php b/basic-auth.php
@@ -18,6 +18,18 @@ function json_basic_auth_handler( $user ) {
 		return $user;
 	}
 
+    if ( !isset( $_SERVER['PHP_AUTH_USER'] ) && ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) || isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) ) {
+        if ( isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
+            $header = $_SERVER['HTTP_AUTHORIZATION'];
+        } else {
+            $header = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
+        }
+
+        if ( !empty( $header ) ) {
+            list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', base64_decode(substr( $header, 6 ) ) );
+        }
+    }
+
 	// Check that we're trying to authenticate
 	if ( !isset( $_SERVER['PHP_AUTH_USER'] ) ) {
 		return $user;