Clearfy is disabling REST API for unauthenticated users

Resolved CB
(@cbrandt)

3 years, 9 months ago

Hello,

I’ve just realized that Clearfy is disabling the WordPress REST API for unauthenticated users, and I can’t seem to find where in the plugin settings I can enable or disable this option.

Some of my sites have REST API endpoints that need to be accessible to unauthenticated users, and they are getting a 401 response instead. For that reason, I need it to use instead a plugin that lets me chose which routes/endpoints to block.

Thanks for this great plugin!

Viewing 9 replies - 1 through 9 (of 9 total)

Temyk
(@webtemyk)

3 years, 9 months ago

Hello.

We removed the option to disable the REST API from the plugin a long time ago. You can reset the plugin settings and check the REST operation.
If this doesn’t help, then it’s not about our plugin.
Thread Starter CB
(@cbrandt)

3 years, 9 months ago
Hello @webtemyk, thanks for the reply.

This may have been fixed a long time ago, but I only realized this problem recently because of one plugin in one of my installations that started using REST API to update results in the front end.

I’ve reset the plugin as you suggested, but it did not solve the problem.

Now you say, if it doesn’t help, it’s not your plugin. But as soon as I deactivate and remove Clearfy, unauthenticated users have open access to the REST API.

When Clearfy is on, the returned error message is:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

A search using String Locator on the whole WordPress directory for the code exhibited when unauthenticated visitor tries an endpoint could only be found on a Clearfy file:

/wp-content/plugins/clearfy/includes/classes/class.configurate-performance.php

On lines 356 and following:
```
<pre><code>/**
 * Disables the WP REST API for visitors not logged into WordPress.
 */
public function removeRestApi()
{
	/*
		Disable REST API link in HTTP headers
		Link: <https://example.com/wp-json/>; rel=&quot;https://api.w.org/&quot;
	*/
	remove_action('template_redirect', 'rest_output_link_header', 11);

	/*
		Disable REST API links in HTML <head>
		<link rel='https://api.w.org/' href='https://example.com/wp-json/' />
	*/
	remove_action('wp_head', 'rest_output_link_wp_head', 10);
	remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');

	/*
		Disable REST API
	*/
	if( version_compare(get_bloginfo('version'), '4.7', '>=') ) {
		add_filter('rest_authentication_errors', [$this, 'disableWpRestApi']);
	} else {
		// REST API 1.x
		add_filter('json_enabled', '__return_false');
		add_filter('json_jsonp_enabled', '__return_false');

		// REST API 2.x
		add_filter('rest_enabled', '__return_false');
		add_filter('rest_jsonp_enabled', '__return_false');
	}
}

public function disableWpRestApi($access)
{
	if( !is_user_logged_in() ) {

		$message = apply_filters('disable_wp_rest_api_error', __('REST API restricted to authenticated users.', 'clearfy'));

		return new WP_Error('rest_login_required', $message, ['status' => rest_authorization_required_code()]);
	}

	return $access;
}
```
So I hope this helps you guys pinpoint the problem, which apparently was not completely resolved when the setting to disable the REST API was removed.

Thanks.
- This reply was modified 3 years, 9 months ago by CB.
Temyk
(@webtemyk)

3 years, 9 months ago

We have removed this option, but the option code remains in the plugin. It may be that you previously had this option enabled and it works anyway, but if you have reset the Clearfy settings, then this option should not work. Check that you have reset the Clearfy settings

Thread Starter CB
(@cbrandt)

3 years, 9 months ago

I have reset all Clearfy settings, by hitting the button at the bottom of Clearfy’s initial settings page.

I have also cleared all cache, even though Litespeed is set not to cache /wp-json/*.

I still get the 401 response with Clearfy’s rest_login_required message.

As soon as I deactivate Clearfy, REST API is available in incognito mode (unauthenticated user).

JibsouX
(@jibsoux)

3 years, 7 months ago

I can confirm the same problem, you did not reset the “wbcr_clearfy_disable_json_rest_api” option in the database

To fix and reset the problem correctly and make it like a clean installation:

1 : saved the settings of the plugin
3 : deactivate clearfy and the plugins linked to it
2 : search in the db all that correspond to “wbcr_clearfy_”
4 : delete the search result
5 : reactivate all the clearfy plugins
6 : reinport the settings
Thread Starter CB
(@cbrandt)

3 years, 7 months ago
Thank you, @jibsoux.

Removing the option wbcr_clearfy_disable_json_rest_api solved the issue. I removed it using Advanced DB Cleaner plugin, without the need to deactivate/reactivate Clearfy.
- This reply was modified 3 years, 7 months ago by CB.
JibsouX
(@jibsoux)

3 years, 7 months ago

@cbrandt , glad it worked for you 😉
For my part I preferred to delete all the bdd option of the plugin because I don’t know if there is any other piece of junk lying around at least the fact of deleting everything and reimporting the settings with just what is needed allows to do as if it was a new installation

Thread Starter CB
(@cbrandt)

3 years, 7 months ago

You’re right, @jibsoux. That’s a good way to fully reset it. Thanks for the tip.

sweetguyzzz
(@sweetguyzzz)

3 years, 7 months ago

@cbrandt

Sorry to be off-topic, but I have been reading some of your comments about CloudFlare and WP-SuperCache at page https://wordpress.org/support/topic/best-plugin-settings-with-cloudflare/

You mentioned there

For the home page to recycle every hour, I created a cronjob that will delete the home page cache Supercache creates every hour.

Is it possible to share that CronJob script.

Again sorry PLUGIN AUTHOR for being off-topic.