WooCommerce JSON v1 REST Authentication ignored when logged in with cookies #13134
Comments
|
Those similar reports are from one person who got external requests working. What are you using to send your requests? Have you tried a REST API client such as Insomnia? |
mikejolley
added
the
needs: author feedback
|
The easiest way to reproduce is to just use Google Chrome and paste the example link (https://localhost/wp-json/wc/v1/products?consumer_key=ck_4f0b99580930dc703c5b8e3ce6f169b60249de6c&consumer_secret=cs_a9080c505b7d4be9a305a038ff8e656d0bf41cc3) into the browser bar. This however is just to reproduce the problem easily - in reality I'm trying to access the API from an Ionic mobile app, where the client is written in AngularJS. The app user is authenticated against Wordpress using his standard login credentials (so Wordpress cookies are available). The user should be able to view products - for this, the app also has READ API keys for making REST calls to WooCommerce. |
|
@sischnei and why you are not doing it using the Basic Auth headers? |
|
This is technically a WordPress issue because you're using COOKIE AUTH without a nonce through the browser. I've made a workaround but you should consider using cookie auth properly if doing this through the browser. See #13146 |
Bigger than add_filter( 'determine_current_user', 'wp_validate_auth_cookie' ); Smaller than add_filter( 'determine_current_user', 'wp_validate_logged_in_cookie', 20 ); This solve issues while trying to authenticate in a browser while logged in. Closes #13134
EXPLANATION OF THE ISSUE
When using the most recent WooCommerce JSON (v1 - not legacy!!) REST API
And a user (even admin) is logged into the site
Then all REST calls are prohibited and result in errors like "{"code":"woocommerce_rest_cannot_view","message":"Sorry, you cannot list resources.","data":{"status":401}}" even though a valid consumer key / secret is passed.
When logging out (or clearing all cookies)
Then the same REST calls are allowed and work as expected
STEPS TO REPRODUCE THE ISSUE
See similar reports on Stackoverflow:
http://stackoverflow.com/questions/40806785/woocommerce-rest-api-authentication-fails-when-logged-in
http://stackoverflow.com/questions/40804197/woocommerce-rest-api-ajax-authentication-error
SYSTEM STATUS REPORT
Note: I tried this with both the latest stable version as well as the current version found on GitHub.
WordPress Environment
Home URL: http://localhost/wordpress
Site URL: http://localhost/wordpress
WC Version: 2.7.0
Log Directory Writable: ✔
WP Version: 4.7.2
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ✔
Language: en_US
Server Environment
Server Info: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/7.0.8
PHP Version: 7.0.8
PHP Post Max Size: 8 MB
PHP Time Limit: 30
PHP Max Input Vars: 1000
cURL Version: 7.49.1
OpenSSL/1.0.2e
SUHOSIN Installed: –
Max Upload Size: 2 MB
Default Timezone is UTC: ✔
fsockopen/cURL: ✔
SoapClient: ❌ Your server does not have the SoapClient class enabled - some gateway plugins which use SOAP may not work as expected.
DOMDocument: ✔
GZip: ✔
Multibyte String: ✔
Remote Post: ✔
Remote Get: ✔
Database
WC Database Version: 2.7.0
WC Database Prefix: wp_
woocommerce_sessions: ✔
woocommerce_api_keys: ✔
woocommerce_attribute_taxonomies: ✔
woocommerce_downloadable_product_permissions: ✔
woocommerce_order_items: ✔
woocommerce_order_itemmeta: ✔
woocommerce_tax_rates: ✔
woocommerce_tax_rate_locations: ✔
woocommerce_shipping_zones: ✔
woocommerce_shipping_zone_locations: ✔
woocommerce_shipping_zone_methods: ✔
woocommerce_payment_tokens: ✔
woocommerce_payment_tokenmeta: ✔
MaxMind GeoIP Database: ❌ The MaxMind GeoIP Database does not exist - Geolocation will not function. You can download and install it manually from http://dev.maxmind.com/geoip/legacy/geolite/ to the path: . Scroll down to "Downloads" and download the "Binary / gzip" file next to "GeoLite Country". Please remember to uncompress GeoIP.dat.gz and upload the GeoIP.dat file only.
Security
Secure connection (HTTPS): ❌Your store is not using HTTPS. Learn more about HTTPS and SSL Certificates.
Hide errors from visitors: ✔
Active Plugins (1)
WooCommerce: by Automattic – 2.7.0-beta-2
Settings
API Enabled: ✔
Force SSL: –
Currency: GBP (£)
Currency Position: left
Thousand Separator: ,
Decimal Separator: .
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)
WC Pages
Shop base: #4 - /shop/
Cart: #5 - /cart/
Checkout: #6 - /checkout/
My account: #7 - /my-account/
Theme
Name: Twenty Seventeen
Version: 1.1
Author URL: https://wordpress.org/
Child Theme: ❌ – If you're modifying WooCommerce on a parent theme you didn't build personally
then we recommend using a child theme. See: How to create a child theme
WooCommerce Support: ✔
Templates
Overrides: –
The text was updated successfully, but these errors were encountered: