Support » Plugin: WP REST API (WP API) » Authentication

  • Resolved Juandbb



    Congratulations for the plugin, I’m really looking forward to seeing it in core!

    My main problem is that I cannot authenticate. I’m trying to do it using PHP and curl, but I have not succeeded so far.

    For example, if I try:

    $ch = curl_init();
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", "Accept:application/json", 'Authorization:Basic '. base64_encode($username.":".$password)));
    curl_setopt($ch, CURLINFO_HEADER_OUT, true);
    var_dump(json_decode($result, true));

    I get “Sorry, you are not allowed to list users”.

    Same if I try:

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$URL);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30); //timeout after 30 seconds
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
    curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
    $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);   //get status code
    $result=curl_exec ($ch);
    curl_close ($ch);
    return $result;

    Anybody may help please?

    Thanks a lot in advance!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The plugin author has removed any in code authentication methods and simply put a filter hook; json_authentication_errors. So, handling authentication is up to you. If you want to use oAuth, there is a plugin/extension for this json rest api that handles most of the code for you.

    I use the basic auth like so:

    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", "Accept:application/json", 'Authorization:Basic '. base64_encode($username.":".$password)));

    To hook into the filter, you would do something like this:

    function MineCheckAuth(){
    //do check auth stuff, basic authentication in the headers will be
    //stored in either the
    //log user in if good
    return true; //or return wp_error
    //neither will do anything but he states that these are the two valid return values.
    add_filter('json_authentication_errors', 'MineCheckAuth');

    Author does hook into the auth errors filter, but only to verify nonce in wp cookie auth.

     * Check for errors when using cookie-based authentication
     * WordPress' built-in cookie authentication is always active for logged in
     * users. However, the API has to check nonces for each request to ensure users
     * are not vulnerable to CSRF.
     * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it, or another value if not
     * @return WP_Error|mixed|boolean
    function json_cookie_check_errors( $result ) {
    	if ( ! empty( $result ) ) {
    		return $result;
    	global $wp_json_auth_cookie;
    	// Are we using cookie authentication?
    	// (If we get an auth error, but we're still logged in, another
    	// authentication must have been used.)
    	if ( $wp_json_auth_cookie !== true && is_user_logged_in() ) {
    		return $result;
    	// Do we have a nonce?
    	$nonce = null;
    	if ( isset( $_REQUEST['_wp_json_nonce'] ) ) {
    		$nonce = $_REQUEST['_wp_json_nonce'];
    	elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
    		$nonce = $_SERVER['HTTP_X_WP_NONCE'];
    	if ( $nonce === null ) {
    		// No nonce at all, so act as if it's an unauthenticated request
    		wp_set_current_user( 0 );
    		return true;
    	// Check the nonce
    	$result = wp_verify_nonce( $nonce, 'wp_json' );
    	if ( ! $result ) {
    		return new WP_Error( 'json_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) );
    	return true;
    add_filter( 'json_authentication_errors', 'json_cookie_check_errors', 100 );

    Thanks a lot dunar 21.

    Your welcome. If this works for you, you can mark as resolved.

    Yes, thank you dunar21. Anyway I feel that the basic auth is not so secure for production, isn’t it? I’m more like trying the OAuth one, let’s see if I succeed in this as documentation is not very clear (at least for me!)

    Marked as resolved.

    Yeah, basic Auth probably should be avoided. You should do some google searching on how how OAuth works before trying to delve into it. I just provided you the basic because that is what your original post was doing. Here is a well laid out, easy to understand explanation of OAuth: Good luck.

    Thanks a lot again, you have been really helpfull.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Authentication’ is closed to new replies.