=== REST API Route Tester === Contributors: jawad0501 Tags: rest-api, api, testing, developer-tools Requires at least: 5.0 Tested up to: 7.0 Stable tag: 1.5.0 Requires PHP: 8.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html A WordPress admin tool to quickly test REST API routes, path params, headers, body payloads, and copy requests as cURL. == Description == REST API Route Tester is a powerful tool for WordPress developers and administrators to test and debug REST API endpoints. It provides a user-friendly interface to: * View all registered REST API routes * Test routes with different HTTP methods (GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD) * Switch between different user roles to test permissions * Send custom headers and body data * View detailed responses including status codes and timing * Request history and saved requests with full state restore * WordPress 7.0 AI helpers: explain responses and suggest request bodies (when Connectors are configured) * Abilities API integration for agent workflows == Installation == 1. Upload the plugin files to the `/wp-content/plugins/rest-api-route-tester` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the 'Plugins' screen in WordPress 3. Use the Tools->REST Route Tester screen to use the plugin == Frequently Asked Questions == = What permissions do I need to use this plugin? = You need to have the 'manage_options' capability to use this plugin, which is typically granted to administrators. = Can I test authenticated endpoints? = Yes, you can test authenticated endpoints by selecting different user roles from the dropdown menu. = How do I report bugs and request features? = Please open a topic in our WordPress.org support forum with: * WordPress version and PHP version * Route and HTTP method * Headers/body sample (remove secrets) * Expected result vs actual result Support forum: https://wordpress.org/support/plugin/rest-api-route-tester/ == Changelog == = 1.5.0 = * Tested up to WordPress 7.0 * Fixed: custom headers and GET query parameters are now applied to REST requests * Fixed: capability checks on all AJAX endpoints; safer JSON handling for headers/body * Fixed: saved requests persist role, auth preset, and URL parameters * Added: Request history tab (last 50 tests) with one-click restore * Added: Explain response and Suggest body using WP AI Client (WordPress 7.0+) * Added: Abilities `wprrt/list-rest-routes` and `wprrt/test-rest-route` * Improved: namespace-based route filter (e.g. wp/v2); admin UI polish for WP 7.0 = 1.4.1 = * Fixed role-based testing: REST permission checks now evaluate as the selected role or guest, not the logged-in administrator * Added Guest (logged-out user) option for testing public vs authenticated routes * Restored original user context and removed temporary filters after each test request = 1.4.0 = * Added URL parameter inputs for routes containing tokens such as `{id}` * Param values are URL-encoded, substituted at send time, and persisted in localStorage * Added "Copy as cURL" button with method, resolved URL, headers, and body * Fixed resolved-route validation against regex-based WordPress route patterns * Fixed route display formatting for complex regex-style parameters (named captures now render as clean `{param}` tokens) * Added `rest_url` in `wprrt_vars` for more accurate generated cURL commands * Added JS modules: `src/params.js` and `src/export.js` = 1.3.0 = * Added Saved Requests sidebar — save any request by name, click to restore into active tab * Added auth preset dropdown (No Auth, Bearer Token, API Key, Basic Auth) — auto-fills Headers field * Saved requests persisted per-user in wp_usermeta (max 100, newest first) * New PHP class WPRRT_Saved_Requests with save, get_all, delete methods * New AJAX actions: wprrt_save_request, wprrt_get_saved_requests, wprrt_delete_request * Auth type selection persisted in localStorage tab state * Two-column layout: sidebar left, request/response right = 1.2.0 = * Introduced Vite build system — source now lives in src/ and compiles to assets/app.js * Modular JS architecture: state.js, tabs.js, request.js, response.js, main.js * Added PrismJS syntax highlighting for JSON responses (GitHub-flavoured light theme) * Build commands: npm run build (production), npm run dev (watch mode) * Fixed: empty request body was rejected with "Invalid JSON data" — empty string now correctly defaults to {} = 1.1.0 = * Security: Fixed XSS vulnerability in route dropdown — route names now inserted via textContent, never innerHTML * Security: test_route() now wrapped in try/finally so temporary test users are always deleted * Security: Added 512 KB payload size limit on request body * Security: Added route existence validation — unknown routes are rejected before execution * Added support for PATCH, OPTIONS, and HEAD HTTP methods * Response now returns HTTP status code and response headers alongside body data * Response panel now shows a color-coded status badge (2xx green, 3xx blue, 4xx yellow, 5xx red) * Response time displayed as a readable line above the body, not embedded in JSON * Added collapsible Response Headers section in the response panel * Fixed formatRoute() regex to correctly handle optional parameter groups * AJAX failures now show a visible inline error message instead of a silent blank state * Removed all debug console.log() calls from production JS * Removed permanently-hidden dead "Form Params" field * JS globals wrapped in WPRRT namespace object to avoid conflicts = 1.0.0 = * Initial release == Upgrade Notice == = 1.5.0 = Major update: headers and GET params now work correctly, plus history, WP 7.0 AI helpers, and Abilities API. Recommended for all users. = 1.4.1 = Hotfix: correct role and guest simulation for REST permission checks. Recommended if you use role-based route testing. = 1.1.0 = Security release. Fixes XSS in route dropdown, orphaned test user leak, and missing input validation. Upgrade recommended. = 1.0.0 = Initial release