Thanks for being an early tester of Application Passwords!
Application Passwords works like other REST API authentication mechanisms, where the current user is set automatically according to the credentials passed to WordPress.
So in your permission callback, you should verify based on a user’s capabilities, not on the fact that they successfully used an Application Password. For instance,
current_user_can( 'edit_posts' ).
Checking that they used an App Password is strongly discouraged.
1. It ties your REST API route to a specific means of authentication. That means it won’t work with cookie based authentication, or if new auth mechanisms are introduced they won’t work either. Additionally, it makes it significantly more complex to unit test.
2. Any user can have an App Password, it doesn’t tell you anything about their capabilities. That’s why you should always use the Capabilities API.
Thanks for the explanation, it makes a lot of sense, and I was indeed thinking about it in the wrong way 🙂