Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#39500 closed defect (bug) (invalid)

REST API 401 Due to Logged Out User Cookie Regardless of Authentication Data

Reported by: dominic_ks's profile dominic_ks Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords:
Focuses: rest-api Cc:



I'm reporting this as a bug as I cannot see anywhere in the docs that this is intended / expected behaviour:

When sending requests to the WordPress REST API that include both a WordPress cookie AND OAuth credentials, authentication is based on the WordPress cookie and the OAuth credentials are ignored.

This results in

  • Potentially unexpected access if the user is logged in
  • Requests rejected with "401: User is not logged in" error response regardless of valid OAuth credentials

I am currently using WordPress 4.7 with the WP REST API - OAuth 1.0a Server plugin enabled.

I came up against an issue while developing an OAuth1.0 flow using javascript intended for use when creating Phonegap applications.

The issue arose once I had actually managed to fully authenticate a user, I was then unable to make a simple GET request to via the Phonegap test app, even though copying and pasting the very same request into a browser straight after receiving 401: User is not logged in, the request worked just fine, e.g.

After much investigation, I found that the Phonegap test app was sending a WordPress cookie with the $.ajax request where the browser was not.

I did look into whether I could prevent this cookie being sent to no avail.

Finally, I found that if I generated the request as normal (including with but then actually send the request to then the request was successful.

For the record, generating the request to up front resulted in signature errors.

My assumption is that the cookie has been set here when using the Phonegap InAppBrowser plugin to complete step 2 of the OAuth process, or, happens to be present in a browser on my phone.

Based on my experience here, it seems that it can't be predicted whether a client or device will have or send a cookie. If a request is sent with valid OAuth credentials I would suggest these should be prioritised for processing the request.

Change History (2)

#1 @rmccue
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for filing this issue. This should be posted over on the OAuth plugin's issue tracker instead, and has already been posted there a couple of times.

We'll try and look into this during the 4.8 cycle in any case, as it is a known bug. :)

#2 @dominic_ks
7 years ago

Ah yes so it has, thanks for the feedback.

Note: See TracTickets for help on using tickets.