WordPress.org

Forums

WP REST API (WP API)
[resolved] Authentication (9 posts)

  1. Juandbb
    Member
    Posted 1 year ago #

    Hello,

    Congratulations for the plugin, I'm really looking forward to seeing it in core!

    My main problem is that I cannot authenticate. I'm trying to do it using PHP and curl, but I have not succeeded so far.

    For example, if I try:

    $username='username';
    $password='password';
    $url='http://example.com/wp-json/users';
    
    $ch = curl_init();
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", "Accept:application/json", 'Authorization:Basic '. base64_encode($username.":".$password)));
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt($ch, CURLINFO_HEADER_OUT, true);
    $result=curl_exec($ch);
    curl_close($ch);
    var_dump(json_decode($result, true));

    I get "Sorry, you are not allowed to list users".

    Same if I try:

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$URL);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30); //timeout after 30 seconds
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
    curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
    $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);   //get status code
    $result=curl_exec ($ch);
    curl_close ($ch);
    return $result;

    Anybody may help please?

    Thanks a lot in advance!

    https://wordpress.org/plugins/json-rest-api/

  2. aryanduntley
    Member
    Posted 1 year ago #

    The plugin author has removed any in code authentication methods and simply put a filter hook; json_authentication_errors. So, handling authentication is up to you. If you want to use oAuth, there is a plugin/extension for this json rest api that handles most of the code for you. https://github.com/WP-API/WP-API/blob/master/docs/authentication.md

    I use the basic auth like so:

    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", "Accept:application/json", 'Authorization:Basic '. base64_encode($username.":".$password)));

    To hook into the filter, you would do something like this:

    function MineCheckAuth(){
    //do check auth stuff, basic authentication in the headers will be
    //stored in either the
    //$_SERVER["REMOTE_AUTHORIZATION"] global or
    //$_SERVER["REDIRECT_REMOTE_AUTHORIZATION"]
    
    //log user in if good
    
    return true; //or return wp_error
    //neither will do anything but he states that these are the two valid return values.
    }
    add_filter('json_authentication_errors', 'MineCheckAuth');
  3. aryanduntley
    Member
    Posted 1 year ago #

    Author does hook into the auth errors filter, but only to verify nonce in wp cookie auth.

    /**
     * Check for errors when using cookie-based authentication
     *
     * WordPress' built-in cookie authentication is always active for logged in
     * users. However, the API has to check nonces for each request to ensure users
     * are not vulnerable to CSRF.
     *
     * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it, or another value if not
     * @return WP_Error|mixed|boolean
     */
    function json_cookie_check_errors( $result ) {
    	if ( ! empty( $result ) ) {
    		return $result;
    	}
    
    	global $wp_json_auth_cookie;
    
    	// Are we using cookie authentication?
    	// (If we get an auth error, but we're still logged in, another
    	// authentication must have been used.)
    	if ( $wp_json_auth_cookie !== true && is_user_logged_in() ) {
    		return $result;
    	}
    
    	// Do we have a nonce?
    	$nonce = null;
    	if ( isset( $_REQUEST['_wp_json_nonce'] ) ) {
    		$nonce = $_REQUEST['_wp_json_nonce'];
    	}
    	elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
    		$nonce = $_SERVER['HTTP_X_WP_NONCE'];
    	}
    
    	if ( $nonce === null ) {
    		// No nonce at all, so act as if it's an unauthenticated request
    		wp_set_current_user( 0 );
    		return true;
    	}
    
    	// Check the nonce
    	$result = wp_verify_nonce( $nonce, 'wp_json' );
    	if ( ! $result ) {
    		return new WP_Error( 'json_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) );
    	}
    
    	return true;
    }
    add_filter( 'json_authentication_errors', 'json_cookie_check_errors', 100 );
  4. Juandbb
    Member
    Posted 1 year ago #

    Thanks a lot dunar 21.

  5. aryanduntley
    Member
    Posted 1 year ago #

    Your welcome. If this works for you, you can mark as resolved.

  6. Juandbb
    Member
    Posted 1 year ago #

    Yes, thank you dunar21. Anyway I feel that the basic auth is not so secure for production, isn't it? I'm more like trying the OAuth one, let's see if I succeed in this as documentation is not very clear (at least for me!)

  7. Juandbb
    Member
    Posted 1 year ago #

    Marked as resolved.

  8. aryanduntley
    Member
    Posted 1 year ago #

    Yeah, basic Auth probably should be avoided. You should do some google searching on how how OAuth works before trying to delve into it. I just provided you the basic because that is what your original post was doing. Here is a well laid out, easy to understand explanation of OAuth: http://marktrapp.com/blog/2009/09/17/oauth-dummies/ Good luck.

  9. Juandbb
    Member
    Posted 1 year ago #

    Thanks a lot again, you have been really helpfull.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WP REST API (WP API)
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.