Basic Authentication not working with WP REST APIv2

[rubenhak]

hi Everybody,

I'm trying to use basic authentication with WP REST API v2 plugin (https://github.com/WP-API/WP-API). But whatever i tried the api returns "Sorry, you are not allowed to ...". Error. I'm using Postman as a client and can see it that correctly set "Authorization" header in the request.

For example if i post here: http://mywebsite.com/wp-json/wp/v2/posts/ Body: { "title": "Hello Updated World!", "content_raw": "Howdy updated content.", "date": "2013-04-01T14:00:00+10:00" }

The response is: { "code": "rest_cannot_create", "message": "Sorry, you are not allowed to create new posts.", "data": { "status": 401 } }

I'd appreciate some help here.

Thanks, Ruben

[shokri-navid]

+1

[rubenhak]

Adding those into .htaccess solves the problem for me: RewriteCond %{HTTP:Authorization} ^(.) RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1]

Though, this files gets overwritten every time to edit the plugin.

[rubenhak]

Actually this is not a complete solution and more is a workaround. From time to time wordpress overwrites .htaccess files and the changes are lost.

[clemorphy]

Hi !

Exact same problem for me.

I am using WP REST API v2, and this plugin. Making a GET request with the Postman Chrome App : https://website.com/wp-json/wp/v2/users/me

I use Basic Auth with a login / password of one of my editor account. The Authorization header is added to the request.

And all I get is :

{
  "code": "rest_not_logged_in",
  "message": "You are not currently logged in.",
  "data": {
    "status": 401
  }
}

Adding this to my .htaccess didn't change anything :

RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1]

Any idea ?

[michaelnagy]

+1

[rubensmz]

I'm also experiencing same problem. I thought it was due to CGI running on Apache and its inability sometimes to manage with authentication headers. Nevertheless, when I turn to FPM over nginx the problem persists.

[wblaircox]

+1

[medrockstar]

+1

[medrockstar]

any solution ?

[HeikoBornholdt]

+1

[ileafsolutions]

I also have the same issue. Any solutions would be a great help

[Zmimmy]

Add this to my .htaccess and it helped:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

See https://github.com/WP-API/WP-API/issues/2538 Not ideal but it works.

This https://github.com/WP-API/Basic-Auth/pull/32/files might also be helpful.

[nodeGarden]

Have tried both /.htaccess changes, and still getting the same rest_cannot_create error.

PostMan settings:

Results:

The Service Discovery page (/wp-json/wp/json/) shows that the POST method is created for posts:

Fresh install of Wordpress on AWS (Bitnami image if that helps any) Wordpress: 4.6 WP REST API: Version 2.0-beta13.1 and tried Version 1.2.5 JSON Basic Authentication: Version 0.1

[koenhoeijmakers]

Hey guys, after some time i finally found the fix (at least for me), It was a .htaccess issue.

The original .htaccess looked like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

I changed it to the following

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /
RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

The HTTP_AUTHORIZATION rule has to come before the other rules, this is because the L flag exists, the L flag means (last - stop processing rules), because of this it would never come to that rule if it was after the original wordpress rules,

Hope this helps anyone else!

[ethanclevenger91]

.htaccess solutions not working for me.

Mine actually works fine on a local version of the site (using either command line curl or Postman) or if I use Postman to post to the live site while logged in in Chrome. Being logged into the dashboard via Chrome seems to go around the REST API authentication, perhaps related to Postman technically being a Chrome app? If I use the "Generate Code" feature in Postman and copy+paste that to CLI, it does not work.

If I try to post to the live site while not logged in in Chrome, I get the "Sorry, you cannot create new posts" error.

[ethanclevenger91]

Hm, so local machine, where it works, is running Homestead. The live server, where it was not working, was running PHP 5.5 with cgi as the handler. I bumped it to PHP 5.6, which uses suPHP as the handler, and it now works. This link seems to imply that these .htaccess fixes should resolve this, but I didn't find that to be true. Other thoughts?

[droa6]

Awesome, this solved my issue posting to the Wordpress rest API. Like @koenhoeijmakers mentioned, the HTTP_AUTHORIZATION rule had to become before all other rules.

[vasiloeth]

Had the same issue and the .htaccess solutions did not work for me. My issue was that apache on CGI tend to change the request headers from 'header' to 'redirect_header'. I've added this to json_basic_auth_handler function

if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); }

And it solved my issue

[magadanskiuchen]

+1 on this

I'm having a similar issue but instead of trying to insert posts I'm simply trying to do a search (which also for some reason requires authentication): /wp-json/wp/v2/posts/?filter[s]=lorem

[monsif]

Nothing of these worked for me, i finally added this wonderful plugin that solved all my problems :+1: https://github.com/Tmeister/wp-api-jwt-auth

[wadechandler]

+1, having the same issue, hosted at GoDaddy on a Linux account. I'm just now trying to investigate, but hoping others trials prove helpful.

[wadechandler]

I can confirm that koenhoeijmakers .htaccess comment worked for me.

[pie6k]

As WordPress themes developer, I'm not able to force my clients to change their .htaccess file so supplied solution does not apply in my case.

[Harshadraval]

its solve that .. for me you can only add a line in .htaccess file is "SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1" . only add line number 4

BEGIN WordPress

RewriteEngine On RewriteBase /demo/goambee/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /demo/goambee/index.php [L]

to

BEGIN WordPress

RewriteEngine On RewriteBase /demo/goambee/ RewriteRule ^index\.php$ - [L] SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /demo/goambee/index.php [L]

[sban90]

I have tried to recommended fixes in this thread with no luck

.htaccess: `# BEGIN WordPress

RewriteEngine On SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress` and added these lines to basic-auth.php: `if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['REDIRECT_HTTP_AUTHORIZATION'], 6))); }` any other recommendations as to why this is not working? host is running on php 5.6 with fastCGI. Local runs fine but that is on php 7.0 with no CGI

[LoudSkyMedia]

I too had this problem, and the only thing that worked for me was this plugin: https://github.com/WP-API/Basic-Auth/blob/master/basic-auth.php

Though, it is a shame that this plugin, or any plugin for that matter, is necessary to address this issue. This should be in the core.

[max-favilli]

@booberchi thanks, I can confirm this solved the issue for me too.

[Harshadraval]

and second solution is you can install this plugin.. https://wordpress.org/plugins/wp-htaccess-control/ and add only one line in custom htaccess.. is SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

see this image same like

[koenhoeijmakers]

@booberchi you do realize that you post this on an issue on that exact package, do you?

[LoudSkyMedia]

@koenhoeijmakers yes. What I was unaware of initially was that this functionality was still separate from the core. Thus, searching for a solution I found this issue/plugin. For anyone else not realizing they needed a plugin to enable Basic Auth, my post is useful.

[max-favilli]

BTW I think it is all related to the fact I am hosting wp on IIS, and the .htaccess rules contained in WP-API/Basic-Auth plugin are not translated into IIS web.config urlrewrite rules. The plugin @booberchi mentioned is taking a different approach, that's why it works for IIS hosting.

[kdoggthebus]

@nodeGarden did you ever find a solution for this? I am also trying to run a bitnami image on aws with no luck

[cafe4it]

@booberchi , thanks so much! Worked for me!

Wordpress 4.7.3 WooCommerce: 3.0.0

[nstechdevops]

I'm running bitnami WordPress image on AWS Lightsail. Though the exact same setup is working perfectly with other hosting provider, on AWS Lightsail, It returns following error when I'm creating a user: { "code": "rest_cannot_create_user", "message": "Sorry, you are not allowed to create new users.", "data": { "status": 401 } } I'm using:

• WordPress Version 4.7.3
• WP REST API v2 (integrated into WP core)
• JSON Basic Authentication Version 0.1

I tried all the above mentioned .htaccess rules. It didn't work for me. Any idea how can I fix it?

[cafe4it]

@nstechdevops , Did you try the plugin: https://wordpress.org/plugins/va-simple-basic-auth/ ?

[Tolsee]

+1 for the issue. What I disagree with .htaccess solution is while I am able to create post from other service provider on my wordpress site there is no way that I am going to change my .htaccess. I do not really see what's going on.

[vasiloeth]

@Tolsee have you tried to var_dump($_SERVER) and check if the WWWAUTHERIZATION header is there? If it's there then the issue is not related to the .httaccess. If it's there with REDIRECT prefix you can try to apply this solution I wrote above.

[kepoly]

Having the same problem as @nstechdevops .

Posts etc work fine just cant create new users, and i've set anyone can register in wp settings.

Edit: apparently the wordpress rest api team decided to leave out unauthenticated registration... So either create your own custom end points or use wordpress default register ->wp-login.php settings->allow anyone to register.

[lakinmohapatra]

The same plugin is working on my local machine . But not on my shared hosting . On hosting , even its not coming into the hook function.

After trying RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}], it worked .

It might be possible that WWW_AUTHERIZATION header is not present.

[yummish]

For those who are interested, I was using postman and had the same error: rest_cannot_create

That's because I've already logged in Chrome. After sign out from Chrome, Postman works!

[lakinmohapatra]

@yummish , need to check it

[paulo-campos]

I solved my problem with the solution of the koenhoeijmakers, work like a charm!

[christophwolff]

same issue here. Iam using Mamp 4.1 for local development. None of the above solution work. It works fine on laravel valet (nginx)

Any help?

[omzy]

Any update on this? Doesn't work for me either, using WordPress 4.8.0

I've tried the htaccess fixed posted by koenhoeijmakers but it still does not work for me.

[christophwolff]

It needs a SSL encryption. HTTS

[omzy]

@christophwolff how do we do this on local env?

[christophwolff]

I use Laravel Valet. Give it a shot. It's intended for Laravel but works great with WordPress. I don't know how to do it with mamp...

[kepoly]

@christophwolff You don't need HTTPS for this to work. @omzy83 Are you trying to create a new user?

[omzy]

Nope I've just done a simple request in Postman to wp-json/wp/v2/posts

I also tried /wp-json/wp/v2/users/me - which returns rest_not_logged_in

I have installed the Basic Auth plugin and in Postman I've entered the login details.

[christophwolff]

For me it worked after I had https.