I've used the WooCommerce REST API for a number of years and I now need to try and upload some media files to WordPress so we can reference these when adding Product Images to existing Products, as the WooCommerce REST API doesn't allow for uploading image files directly. I have no experience with any WordPress REST API implementations as yet.
I'm pretty confused at this stage whether I need to use a WordPress plugin to allow my remote application (using cURL) to be able to upload files to the Media endpoint? I saw something about not using basic authentication but I can't see any settings within WordPress itself to create API keys like you do for WooCommerce.
Do I need to use a plugin to enable REST API access to allow remote uploading of media files? From what I've read the REST API is not in the WordPress core (I'm running WordPress 4.9.2) but I can't see where I setup authentication for the API requests?
There are different authentication schemes and for remote applications / integrations, you will generally need a plugin to authenticate.
The default idea is one logs into WordPress (e.g. wp-login.php) and that authorizes that user for any REST API functionality that might require it. An example use-case where this is suitable is a plugin that adds a page in the admin dashboard and its back/forth with the server is implemented via JS + REST API. No additional plugins or anything of the sort is required, especially now that the REST API is part of the core.
For integrations, currently decent options include an OAuth plugin, JWT, and the Application Passwords plugin.
Since you're using CURL and loading data ad-hoc, the Application Password plugin could be a pretty straightforward choice that's easy to manage. Once the plugin is installed + activated, given a user, you can edit their profile and add one or more Application Passwords (and disable them). The idea is you use a different password for each application where you want to authenticate as that user.
To use an Application Password, base64-encode "USERNAME:APPLICATION_PASSWORD" and then incorporate the resulting value in an Authorization header along with any requests.
Suppose you create an Application Password for username and the plugin generates "WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ". At a shell prompt you could generate the required base64-encoded format:
echo -n "username:WXYZ WXYZ WXYZ WXYZ WXYZ WXYZ" | base64
For the sake of example, suppose the base64 output is: "AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=". You could then use this value in the Authorization header of any requests:
curl --header "Authorization: Basic AAAAAAAAABBBBBBBBBBBBCCCCCCCCCCCCCCCDDDDDDDDDDD=" -X POST -d "title=Editing a Post Title with REST API" https://example.com.test/wp-json/wp/v2/posts/<ID>
It is important to use SSL/TLS as the authorization header can be sniffed out by an attacker if it were transmitted via plaintext.
Plugin link: