Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#39500 closed defect (bug) (invalid)

REST API 401 Due to Logged Out User Cookie Regardless of Authentication Data

Reported by: dominic_ks's profile dominic_ks Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords:
Focuses: rest-api Cc:

Description

Hello,

I'm reporting this as a bug as I cannot see anywhere in the docs that this is intended / expected behaviour:

Description:
When sending requests to the WordPress REST API that include both a WordPress cookie AND OAuth credentials, authentication is based on the WordPress cookie and the OAuth credentials are ignored.

This results in

  • Potentially unexpected access if the user is logged in
  • Requests rejected with "401: User is not logged in" error response regardless of valid OAuth credentials

I am currently using WordPress 4.7 with the WP REST API - OAuth 1.0a Server plugin enabled.

Background:
I came up against an issue while developing an OAuth1.0 flow using javascript intended for use when creating Phonegap applications.

The issue arose once I had actually managed to fully authenticate a user, I was then unable to make a simple GET request to via the Phonegap test app, even though copying and pasting the very same request into a browser straight after receiving 401: User is not logged in, the request worked just fine, e.g.

http://my-domain.co.uk/wp-json/wp/v2/users/me?my_auth_params=etc

After much investigation, I found that the Phonegap test app was sending a WordPress cookie with the $.ajax request where the browser was not.

I did look into whether I could prevent this cookie being sent to no avail.

Finally, I found that if I generated the request as normal (including with my-domain.co.uk) but then actually send the request to http://cookieless-my-domain.co.uk/.... then the request was successful.

For the record, generating the request to http://cookieless-my-domain.co.uk/.... up front resulted in signature errors.

My assumption is that the cookie has been set here when using the Phonegap InAppBrowser plugin to complete step 2 of the OAuth process, or, happens to be present in a browser on my phone.

Conclusion:
Based on my experience here, it seems that it can't be predicted whether a client or device will have or send a cookie. If a request is sent with valid OAuth credentials I would suggest these should be prioritised for processing the request.

Change History (2)

#1 @rmccue
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for filing this issue. This should be posted over on the OAuth plugin's issue tracker instead, and has already been posted there a couple of times.

We'll try and look into this during the 4.8 cycle in any case, as it is a known bug. :)

#2 @dominic_ks
7 years ago

Ah yes so it has, thanks for the feedback.

Note: See TracTickets for help on using tickets.