Support » Plugin: Authorizer » REST API not working with Page access set to Logged In Only

  • Resolved mikemarlett

    (@mikemarlett)


    Through the fall, I had an external site coordinating some data with a site via the REST API. The site was set to only show the front page to visitors who weren’t logged in, and things worked fine. I work for a university that took a long holiday break, and when I came back the API calls were mysteriously not authenticating. Just today I realized that I can get it to work if I toggle the page access to allow all traffic. I see that the latest code base was updated Dec. 18, and the plugin would’ve automatically updated shortly after that, which was also the last time I used the API before the break. So I suspect that something broke there.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul Ryan

    (@figureone)

    Unless you’re using the GitHub Updater plugin and installed Authorizer through that, you should be on version 2.10.0, released in September 2020. (Version 3.0.4 isn’t publicly released yet, pending feedback from some folks testing out its new OAuth2 integration.)

    Regardless, we’ll take a look at REST API access. I remember reading that WordPress core added some additional authentication methods for REST, so that may be the culprit.

    REST API Changes in WordPress 5.6

    Application Passwords: Integration Guide

    Thread Starter mikemarlett

    (@mikemarlett)

    Yes, 2.10.0 on WordPress 5.6.

    Plugin Author Paul Ryan

    (@figureone)

    Aloha, I verified that Authorizer blocks authenticated requests (e.g., using the new app passwords feature) if set to “only logged in users can see the site.”

    We’ll work on fixing this and get a release out shortly. Do note that your external site will need to authenticate to get access to the REST API, but you should be able to easily use app passwords for that:

    Application Passwords: Integration Guide

    (I’m adding some historical context below for reference, you can safely ignore it!)

    In version 2.4.0 (Feb 2016), we locked down REST API calls if Authorizer was set to “only logged in users can see the site.” See:
    https://github.com/uhm-coe/authorizer/issues/4

    In version 2.6.0 (Sep 2016), we tweaked Authorizer to only prevent unauthenticated GET calls if it was set to “only logged in users can see the site” (non-GET requests, such as POST, DELETE, etc., are already protected by WordPress’s own authentication). See:
    https://github.com/uhm-coe/authorizer/issues/11

    Plugin Author Paul Ryan

    (@figureone)

    Aloha, we have refactored the way Authorizer handles REST API requests, so it should honor existing authentication routines now (when Authorizer is set to “only logged in users can see the site”).
    https://github.com/uhm-coe/authorizer/commit/798c48dfd1d03a232ae4fa8a8d3e7053b62f3c5f

    Version 3.0.5 is out now with the fix. Let us know if you run into problems!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘REST API not working with Page access set to Logged In Only’ is closed to new replies.