Can't get auth working, 403 Forbidden Error

[vitld]

Hi,

Basic Auth just doesn't work for me, been stuck for days and feels like I have turned over every stone there is to find a solution.

Some info about my hosting(phpinfo();):

PHP Version 5.6.8
Server API: CGI/FastCGI

I have added the below to .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

And doing a var_dump on below shows correct values.

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']
$_SERVER['HTTP_AUTHORIZATION']

Now to the issue. I get 403 Forbidden error using both postman and postman package sending the following information to the server:

POST /wp-json/posts HTTP/1.1
Host: mysite.com
Authorization: Basic XXXXXXXXXXXXXXX
Cache-Control: no-cache
Postman-Token: 6bb61e83-0bec-afcd-9b5d-605340683730
Content-Type: application/x-www-form-urlencoded

title=Test+1&content_raw=Test+2222&status=publish

The response I get:

[
    {
        "code": "json_cannot_create",
        "message": "Sorry, you are not allowed to post on this site."
    }
]

Anyone who has any idea or can point me in the right direction?

[vitld]

Finally made some progress.
The error for me was on line 368 in plugin.php of the main WP API plugin.

It seems like the cookie authentication is running after the basic authentication and then reseting the wp_current_user back to 0 if there is no nonce sent with the request. Or perhaps the basic auth plugin is not even getting hooked on during the authentication process, which seems unlikely to me.
Or maybe you are supposed to send a nonce even with Basic Auth requests, which seems strange to me.

[vitld]

Did some more digging and narrowed it down to the HTTP_AUTHORIZATION variable.
Apparently the settings that I did to my .htaccess was not enough and one more line was needed:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

So try that if you use FastCGI and have trouble to get it to work.

[urre]

@ViktorPontinen Hi, i have problems with this aswell. Get 403 on POST request using Basic Auth. Do you know how to set this up in Nginx? I've added fastcgi_param HTTP_AUTHORIZATION $http_authorization; but no difference. Wonder if i'm doing something else wrong.

[vitld]

@urre Hi, the basic rule did not work for me, had to use
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
which I sadly don't know how to convert to Nginx.

You could try
fastcgi_param PHP_AUTH_DIGEST $http_authorization;

[urre]

@ViktorPontinen thanks. How did you make the POST request? i'm not sure i¨'m doing it correctly.

i've tried:

$.ajax({ 
    dataType: "json",
    type : "POST",
    url: 'http://mywebsite.se/wp-json/posts/',
    headers: { 
        // 'Access-Control-Allow-Origin' : 'all',
        'Authorization': 'Basic '+btoa(wp_username+":"+wp_password),
        "Content-Type": "text/plain; charset=utf-8"
},
...

[vitld]

Using Postman extension for Chrome.
Like the first post.

POST /wp-json/posts HTTP/1.1
Host: mysite.com
Authorization: Basic XXXXXXXXXXXXXXX
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

title=Test+1&content_raw=Test+2222&status=publish

What kind of error do you get?

[urre]

@ViktorPontinen I made a misstake. Working now. Thanks.

[dooch]

Hi Guys,

I still have issues getting this working. Think it might have something to do with my .htaccess file; here is an extract from my website.

There are two lines with are commented out, when they are activated the api calls responded with a 404 error. Any ideas?

# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
    <IfModule mod_headers.c>
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
        AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    <IfModule mod_mime.c>
        # DEFLATE by extension
        AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
# RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

[lkraav]

http://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Worked for us.

[gmartinez]

Hi there, also run into this issue and found myself having to perform a small tweak to the plugin, I wonder if it is not something that is worth merge in, I will let you guys decide.

Basically I found myself having to parse $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] to feed $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']

I added the lines below just before line that reads "// Check that we're trying to authenticate"

/**
* The following allows Basic Auth support when PHP is running as any form of CGI
* In order for this to work one needs to add : "SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1" to the .htaccess
*/
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
    list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6)));
}

One more, in my case both

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

worked for the basic auth but my site started to throw lots of 404, on the other hand

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

did the trick.

[younes0]

does this plugin works with the V2?

[tdapper]

Havin a similar problem. Adding the aforementioned rules to .htaccess apparently helps in passing through the Basic Auth info. The API now returns stuff that makes me think it recognizes my login (meaning that e.g. the /wp/v2/users/me endpoint returns something sensible), but even though the user I'm logging in as has admin rights, I am getting 403 errors whenever I'm trying to access hidden posts.

The code change proposed by @gmartinez doesn't help. Would be great if @ViktorPontinen could share what the problem in the WP-API exactly was (and whether the fix was vor the v1 or v2 API).

Does anybody take care of this plugin? I'm working on connecting our software products with the website and Basic Auth is so much less painful in this regard (at least until a two legged OAuth 2.0 becomes available). Also since I'm controlling both sides, I can totally ensure that https is used. Wouldn't it even make sense to have a switch in the WP-API plugin that allows to only accept API calls via https and not http? OK, I'm getting off topic....

[younes0]

@tdapper I had success with WP-API1 only. V2 is still in beta anyway.
I encountered problems with Basic-Auth and Goodbye Captcha so I used OAuth

[vitld]

@tdapper Im 90% sure it was on v2, which exact version I don't recall.
The problem was solved for me by adding
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
To .htaccess

Try to do to a var_dump on the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] to check if the values you send get passed correctly.

Sadly I don't remember much more, was long time ago I last worked with this.

[rmccue]

Does anybody take care of this plugin? I'm working on connecting our software products with the website and Basic Auth is so much less painful in this regard (at least until a two legged OAuth 2.0 becomes available). Also since I'm controlling both sides, I can totally ensure that https is used. Wouldn't it even make sense to have a switch in the WP-API plugin that allows to only accept API calls via https and not http? OK, I'm getting off topic....

We want to discourage using this plugin heavily; even with HTTPS, it encourages the antipattern of giving your password to a different site.

99% of the the problems here are server configuration issues; the htaccess rules aren't needed with most sites, only sites that don't correctly pass the authorization header/variables to PHP. This is something we can't really handle in a generic way, so try the solutions suggested here. :)