#39500 closed defect (bug) (invalid)
REST API 401 Due to Logged Out User Cookie Regardless of Authentication Data
Reported by: | dominic_ks | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7 |
Component: | REST API | Keywords: | |
Focuses: | rest-api | Cc: |
Description
Hello,
I'm reporting this as a bug as I cannot see anywhere in the docs that this is intended / expected behaviour:
Description:
When sending requests to the WordPress REST API that include both a WordPress cookie AND OAuth credentials, authentication is based on the WordPress cookie and the OAuth credentials are ignored.
This results in
- Potentially unexpected access if the user is logged in
- Requests rejected with "401: User is not logged in" error response regardless of valid OAuth credentials
I am currently using WordPress 4.7 with the WP REST API - OAuth 1.0a Server plugin enabled.
Background:
I came up against an issue while developing an OAuth1.0 flow using javascript intended for use when creating Phonegap applications.
The issue arose once I had actually managed to fully authenticate a user, I was then unable to make a simple GET request to via the Phonegap test app, even though copying and pasting the very same request into a browser straight after receiving 401: User is not logged in, the request worked just fine, e.g.
http://my-domain.co.uk/wp-json/wp/v2/users/me?my_auth_params=etc
After much investigation, I found that the Phonegap test app was sending a WordPress cookie with the $.ajax request where the browser was not.
I did look into whether I could prevent this cookie being sent to no avail.
Finally, I found that if I generated the request as normal (including with my-domain.co.uk) but then actually send the request to http://cookieless-my-domain.co.uk/.... then the request was successful.
For the record, generating the request to http://cookieless-my-domain.co.uk/.... up front resulted in signature errors.
My assumption is that the cookie has been set here when using the Phonegap InAppBrowser plugin to complete step 2 of the OAuth process, or, happens to be present in a browser on my phone.
Conclusion:
Based on my experience here, it seems that it can't be predicted whether a client or device will have or send a cookie. If a request is sent with valid OAuth credentials I would suggest these should be prioritised for processing the request.
Thanks for filing this issue. This should be posted over on the OAuth plugin's issue tracker instead, and has already been posted there a couple of times.
We'll try and look into this during the 4.8 cycle in any case, as it is a known bug. :)