Support » Plugin: Disable WP REST API » Response to preflight request doesn’t pass access control check

  • Resolved ali7e

    (@ali7e)


    Hello,

    When I try to make a POST call to an endpoint “/wp-json/wp/v2/posts” with an application password, I get a rejected response with an 401 Unauthorized status.

    Access to fetch at 'https://xxxxxxxxx.com/wp-json/wp/v2/posts' from origin 'https://xxxxxxxx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

    This doesn’t happen when I do it from Postman, apparently, as said here how postman and the browser send the OPTIONS request are different, and it seems that with this plugin is demanding authorization on the the pre-flight OPTIONS request, which should not be required.

    Is there any way to fix this?

    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Not sure, but the plugin code is very basic only a few functions. You may want to take a look and see if there is any change that can be made. As far as I know, the plugin is just using default/core WP functionality to disable the REST API. It doesn’t make any exceptions for application passwords, etc. If all else fails try one of the other, more robust, REST API plugins that provide options to do things that what you are describing, etc.

    I hope this helps, let me know if I can provide any further infos.

    Thread Starter ali7e

    (@ali7e)

    Thanks for the quick reply!

    I will check and see if any changes can be made.

    The app actually does make an exception for application passwords because I am able to authenticate with an application password in Postman. So if it is not meant to do that, you might want to fix that.

    Plugin Author Jeff Starr

    (@specialk)

    I’m not familiar with Postman, but if it is a free app or service and you want to provide steps to replicate the issue, I would be glad to investigate asap.

    Thread Starter ali7e

    (@ali7e)

    Postman is a tool for API development so I was using it to make GET calls to the API. But you can replicate this in Terminal:

    curl --location --request GET 'https://xxxxxxxxx.com/wp-json/wp/v2/posts' --header 'Authorization: Basic username:app-password'

    Plugin Author Jeff Starr

    (@specialk)

    Okay thanks. Does the request go thru without the username and password?

    Thread Starter ali7e

    (@ali7e)

    No the request does not go through without authentication.

    Plugin Author Jeff Starr

    (@specialk)

    Yeah what I think is happening is that the plugin is using default WP hooks, etc. to disable REST API in general. But when you pass credentials WP allows the request to go thru successfully.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Response to preflight request doesn’t pass access control check’ is closed to new replies.