bug: invoking a protected endpoint that internally uses rest_do_request fails with 502 bad gateway

[pablobarvo]

Bug Report

Plugin Version

3.5.6

PHP Version

8.1.29

WordPress Version

6.6.1

Bug description

1. I have an custom endpoint registered via register_rest_route and protected via "Protected endpoints", configured via "Apply only on specific REST endpoints.
2. Internally, this API makes an invocation to a separate API using the WP rest_do_request to request some rest API results, and it is invoking a REST endpoint not protected with "Protected endpoints"

Expected results:

The invocation works well: the JWT is validated, the API runs and the internal rest_do_request succeeds

Current results:

Invoking the API results in a 502 bad gateway response

What I've tried to confirm this is a bug:

1. If I remove the rest_do_request call from the API implementation, the API request starts working well
2. If I disable protected endpoints and do requests unauthenticated, the API request starts working well

What I've done to confirm why this happens:

Debugging this a bit, it seems like the code in routes/api.php is being invoked twice: first for the API call, which validates the JWT token successfully, but the invocation of rest_do_request internally calls this again, and the invocation of hasAccess fails.

Potential fix:

If I edit ProtectEndpointService.php and make sure that hasAccess checks if the user is already logged in and returns true in line 40, the API starts to work well while authenticated, so it is clear that this is the code path causing the issue. Basically, move the code in line 61 up.

Please let me know your thoughts both on this issue and the potential fix (proposed or other) to make this scenario work well.

Thanks in advance!

[vins13pattar]

This issue makes this plugin useless. Is it being addressed? I am also facing the same issue.