Basic-Auth
Basic-Auth copied to clipboard
WP-API
Basic Authentication not working with WP REST APIv2
hi Everybody,
I'm trying to use basic authentication with WP REST API v2 plugin (https://github.com/WP-API/WP-API). But whatever i tried the api returns "Sorry, you are not allowed to ...". Error. I'm using Postman as a client and can see it that correctly set "Authorization" header in the request.
For example if i post here: http://mywebsite.com/wp-json/wp/v2/posts/ Body: { "title": "Hello Updated World!", "content_raw": "Howdy updated content.", "date": "2013-04-01T14:00:00+10:00" }
The response is: { "code": "rest_cannot_create", "message": "Sorry, you are not allowed to create new posts.", "data": { "status": 401 } }
I'd appreciate some help here.
Thanks, Ruben
Adding those into .htaccess solves the problem for me: RewriteCond %{HTTP:Authorization} ^(.) RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1]
Though, this files gets overwritten every time to edit the plugin.
Actually this is not a complete solution and more is a workaround. From time to time wordpress overwrites .htaccess files and the changes are lost.
Hi !
Exact same problem for me.
I am using WP REST API v2, and this plugin.
Making a GET request with the Postman Chrome App :
https://website.com/wp-json/wp/v2/users/me
I use Basic Auth with a login / password of one of my editor account.
The Authorization header is added to the request.
And all I get is :
{
"code": "rest_not_logged_in",
"message": "You are not currently logged in.",
"data": {
"status": 401
}
}
Adding this to my .htaccess didn't change anything :
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1]
Any idea ?
I'm also experiencing same problem. I thought it was due to CGI running on Apache and its inability sometimes to manage with authentication headers. Nevertheless, when I turn to FPM over nginx the problem persists.
Add this to my .htaccess and it helped:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
See https://github.com/WP-API/WP-API/issues/2538 Not ideal but it works.
This https://github.com/WP-API/Basic-Auth/pull/32/files might also be helpful.
Have tried both /.htaccess changes, and still getting the same rest_cannot_create error.
PostMan settings:
Results:
The Service Discovery page (/wp-json/wp/json/) shows that the POST method is created for posts:
Fresh install of Wordpress on AWS (Bitnami image if that helps any)
Wordpress: 4.6
WP REST API: Version 2.0-beta13.1 and tried Version 1.2.5
JSON Basic Authentication: Version 0.1
Hey guys, after some time i finally found the fix (at least for me), It was a .htaccess issue.
The original .htaccess looked like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
I changed it to the following
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
The HTTP_AUTHORIZATION rule has to come before the other rules, this is because the L flag exists, the L flag means (last - stop processing rules), because of this it would never come to that rule if it was after the original wordpress rules,
Hope this helps anyone else!
.htaccess solutions not working for me.
Mine actually works fine on a local version of the site (using either command line curl or Postman) or if I use Postman to post to the live site while logged in in Chrome. Being logged into the dashboard via Chrome seems to go around the REST API authentication, perhaps related to Postman technically being a Chrome app? If I use the "Generate Code" feature in Postman and copy+paste that to CLI, it does not work.
If I try to post to the live site while not logged in in Chrome, I get the "Sorry, you cannot create new posts" error.
Hm, so local machine, where it works, is running Homestead. The live server, where it was not working, was running PHP 5.5 with cgi as the handler. I bumped it to PHP 5.6, which uses suPHP as the handler, and it now works. This link seems to imply that these .htaccess fixes should resolve this, but I didn't find that to be true. Other thoughts?
Awesome, this solved my issue posting to the Wordpress rest API. Like @koenhoeijmakers mentioned, the HTTP_AUTHORIZATION rule had to become before all other rules.
Had the same issue and the .htaccess solutions did not work for me. My issue was that apache on CGI tend to change the request headers from 'header' to 'redirect_header'. I've added this to json_basic_auth_handler function
if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); }
And it solved my issue
+1 on this
I'm having a similar issue but instead of trying to insert posts I'm simply trying to do a search (which also for some reason requires authentication): /wp-json/wp/v2/posts/?filter[s]=lorem
Nothing of these worked for me, i finally added this wonderful plugin that solved all my problems :+1: https://github.com/Tmeister/wp-api-jwt-auth
+1, having the same issue, hosted at GoDaddy on a Linux account. I'm just now trying to investigate, but hoping others trials prove helpful.
As WordPress themes developer, I'm not able to force my clients to change their .htaccess file so supplied solution does not apply in my case.
its solve that .. for me you can only add a line in .htaccess file is "SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1" . only add line number 4
BEGIN WordPress
to
BEGIN WordPress
I have tried to recommended fixes in this thread with no luck
.htaccess:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule># END WordPress
and added these lines to basic-auth.php:
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); }
any other recommendations as to why this is not working? host is running on php 5.6 with fastCGI. Local runs fine but that is on php 7.0 with no CGI
I too had this problem, and the only thing that worked for me was this plugin: https://github.com/WP-API/Basic-Auth/blob/master/basic-auth.php
Though, it is a shame that this plugin, or any plugin for that matter, is necessary to address this issue. This should be in the core.
and second solution is you can install this plugin.. https://wordpress.org/plugins/wp-htaccess-control/ and add only one line in custom htaccess.. is SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
see this image same like
@booberchi you do realize that you post this on an issue on that exact package, do you?
@koenhoeijmakers yes. What I was unaware of initially was that this functionality was still separate from the core. Thus, searching for a solution I found this issue/plugin. For anyone else not realizing they needed a plugin to enable Basic Auth, my post is useful.