BuddyPress App not working with Memberpress

Question

We are using BuddyBoss Platform Pro + Theme. Recently we also invested in the BuddBoss App (released earlier this year).

Our intent all along, was to create a membership site and have our subscribers pay for access to content. BuddyBoss highlights their integration with Memberpress extensively on their site, has integration features that support it, video tutorials about how to set it up etc. Memberpress is working well for us with BuddyBoss Platform Pro and Theme.

However, we have been unable to get it protect content in the BuddyBoss App (IOS and Android). I opened a ticket with BuddyBoss and after a week of no meaningful response - they offered the following:

As per checking with the development team here is the update:

For MemberPress, It does not protect blog posts in the REST API and > App is using REST API to show blog post in a Native way. So if the > MemberPress protect content in blog REST endpoint then blog post would not show in App as well.

Regards,
BuddyBoss Customer Support

We have a general rule in Memberpress that protects all Wordpress Posts. From this response, it appears that BuddyBoss did not consider that users of their App would want to protect the content, even though that feature is heavily promoted on their Platform and Theme value prop.

Is anyone else experiencing this issue, and does anyone have a suggestion to solve it? We already have thousands of users of the App, and they are getting free access to our content subverting our subscriptions business model.

Answer 1

So just to put a bit of context on BuddyPress answer. In short what Memberpress does is restricting the front end access, but any REST API request can still be performed, therefore anyone with a bit of knowledge can access your restricted content.

I'm not familiar with any of those services (BuddyPress) so the following answer is regarding the Wordpress REST API in general.

You can require authentication for all REST API requests by adding an is_user_logged_in check to the rest_authentication_errors filter which will block any external request, locking down your content for logged in users. This can be easily adapted to a specific role eg: when a paid membership is used.

The following example will block any REST API request for non logged in user and non admin.

<?php

if ( ! defined( 'ABSPATH' ) ) {

    exit; 

};

/**
 * Require authentication for all requests. Prevent blank or empty bots request.
 * 
 * Filters REST API authentication errors. 
 * 
 * @link https://developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests
 */
add_filter( 'rest_authentication_errors', function( $result ) {

    // If a previous authentication check was applied,
    // pass that result along without modification.
    if ( true === $result || is_wp_error( $result ) ) {

        return $result;

    };

    // No authentication has been performed yet.
    // Return an error if user is not logged in or isn't a Admin, Editor or Author
    if ( ! is_user_logged_in() || ! current_user_can( 'publish_posts' ) ) {

        header( 'Refresh: 1; ' . esc_url( home_url() ) );

        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in OR are not allowed.' ),
            array( 'status' => 401 )
        );

    };

    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;
    
} );