Address concerns about WordPress authenticated post preview recommendations

[montchr]

Verify canary release

• I verified that the issue exists in the latest Next.js canary release

Provide environment information

n/a

Originates in recommendations within documentation, and results in the "working" but potentially-insecure implementation of those recommendations.

Which example does this report relate to?

cms-wordpress

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

Describe the Bug

The example circumvents pre-existing security/authorization controls implemented within WordPress core. Users should be able to reasonably expect that a Next.js-based implementation of post previews provides the same level of security and access control as that of WordPress core.

Additionally relevant: #29877 was closed and locked without providing any explanation as to the verification process. How was the verified reproduction performed?

The response is somewhat alarming considering the prominence of the cms-wordpress example, however the unceremonious closure and locking of #29877 results in the flagged misuse of WordPress authentication being buried without context, forcing the original commenter's concerns to go unaddressed, and allowing the potential issues in the example to proliferate.

Expected Behavior

The official example should provide a gold standard baseline for Next.js integration with WordPress, especially with regard to authenticated post previews, as at the time of writing, the WordPress+Next.js ecosystem is populated by numerous differing implementations of post preview functionality over the years, and it would be very much appreciated if Next.js provided an example implementation using authentication best-practices.

For example, an approach leveraging per-user WordPress Application Passwords.

To Reproduce

See #29877 –

Or, roughly:

• Follow the guide for setting up post previews.
• As an Administrator user, create a test post without publishing (save as draft)
• Copy the post preview URL and open in a private browser session: the post should not be visible without authentication according to WordPress core user permissions
• Create a new WordPress user with a lower-privileged Role like "Contributor", which does not have the ability to view, edit, or manage anyone's posts except for their own
• Log in as the new user in a private browser session
• Go to the preview URL for the unpublished post created by the Administrator user – it should not be accessible

[montchr]

Also see the numerous upstream issues for the plugin recommended in the Next.js example:

• Difference between authToken and refreshToken wp-graphql/wp-graphql-jwt-authentication#136
• Why both refresh and auth tokens are valid to authorize mutation requests?! wp-graphql/wp-graphql-jwt-authentication#144
• Resolve #144 & avoid misusing Refresh-token as Auth-token for Authorisation wp-graphql/wp-graphql-jwt-authentication#145

[balazsorban44]

Thanks for opening this issue! As a note, examples are not part of Next.js, and its auditing, so we mostly rely on the community to keep them up-to-date and to the standards. That said, I pinged some team members to see if we have the capacity to look into this specific integration.

In any case, if you have a suggestion to improve the example, we welcome PRs! 🙏

Regarding the closing of #29877, I agree it might have been a bit premature to close it, I apologize! I think the confusion was that it used the wrong issue template (we have the one for examples, the one that you used) and most of the required steps were skipped, so we discarded it a bit too quickly. Again, thanks for reopening though!