Support » Plugin: WP REST API (WP API) » Authentication hacks

  • Resolved aryanduntley


    In wp-json-server.php ,line 98, method check_authentication; You create a hook that allows custom authentication, however you do not allow for a fail safe from that hook. The method only checks to see if a successful login is returned. If not, it goes on to check the basic authentication. I don’t know if I’m off here, but if some felt that basic authentication was unsafe and did not want it to be available at all, they cannot currently prevent access attempts of this nature. Failure of login only allows for test of basic auth. You may want to consider checking for null or some other fail value to return false and discontinue execution of the remainder of the method.

Viewing 2 replies - 1 through 2 (of 2 total)
  • It is possible authentication will not work for those running php as CGI/SuExec

    I found a good resource that provides a fix for this (or a workaround anyway):

    In order to implement this with the API, first adjust your .htaccess file by adding

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

    then utilize the authentication filter to provide http authentication values (NOTE: This example is using base 64 decode which means that the authentication values were sent with base 64 encoding *base64_encode(“username:password”)*):

    function fixTheCheckAuth(){
    list($_SERVER[‘PHP_AUTH_USER’], $_SERVER[‘PHP_AUTH_PW’]) = explode(‘:’ , base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’], 6)));

    add_filter(‘json_check_authentication’, ‘fixTheCheckAuth’);

    The above actually did not work for me. This did however, it is a method from a responder in the resource above (

    S├ębastien Marinier Said,
    May 07, 2009 @ 10:57

    With Apache 2.2 and PHP 5(cgi mode), i’ve used

    SetEnvIfNoCase Authorization “Basic ([a-z0-9=]+)” REMOTE_AUTHORIZATION=$1

    This gives me $_SERVER[“REDIRECT_REMOTE_AUTHORIZATION”] as a global var.
    I don’t know if “REDIRECT_” prefix is due to my configuration/environment. You may try without it.

    After, you can use the following code, before user both PHP_AUTH_* vars in a traditionnal way:

    $d = base64_decode($_SERVER[“REDIRECT_REMOTE_AUTHORIZATION”]);
    list($_SERVER[‘PHP_AUTH_USER’], $_SERVER[‘PHP_AUTH_PW’]) = explode(‘:’, $d); }

    Plugin Author Ryan McCue


    Basic Authentication is being moved to a plugin in the future; see #37

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Authentication hacks’ is closed to new replies.