API endpoints not whitelisted after remove filter "jwt_auth_whitelist"

[jobberma]

Hello,

I just updated to v3 and I have some whitelisted endpoints. I removed filter "jwt_auth_whitelist" in code but still getting 401 error as below :

<html>

<head>
    <title>401 Authorization Required</title>
</head>

<body>
    <center>
        <h1>401 Authorization Required</h1>
    </center>
    <hr>
    <center>nginx</center>
</body>

</html>

Example of API endpoint declaration :

add_action('rest_api_init', function() {
    register_rest_route(API_NAMESPACE_v1, 'jobs', [
        'methods' => 'POST',
        'callback' => 'get_jobs',
        'permission_callback' => '__return_true',
        'args' => [
            'page' => array(
                'type' => 'number'
            )
        ],
    ]);
});

Is there something else I have to edit/add ?

Thanks

[dominic-ks]

Have you sent a JWT with this request? If you're sending one, it still has to be valid. I'm also curious as to how you're getting an HTML error message in response to a POST request...

[jobberma]

Have you sent a JWT with this request? If you're sending one, it still has to be valid. I'm also curious as to how you're getting an HTML error message in response to a POST request...

Thanks for your reply, I do not send a JWT token in this endpoint because it's public and it must work without token. I am testing in postman and it returns that as a HTML response.

[dominic-ks]

Have you tried this with all other plugins disabled? I don't know how this plugin could return an HTML response at all.

[jobberma]

Have you tried this with all other plugins disabled? I don't know how this plugin could return an HTML response at all.

Okay I will check that because it's a staging env. How about whitelisting the endpoint ? Is it done by default or I have to add other confs ?

[dominic-ks]

There is no whitelisting any more, the plugin no longer prevents any access to any endpoints, it simply authenticates a token if one is provided, access to any routes is controlled by the permissions callback of the routes themselves, not sure why __return_true wouldn't be working for here, so it'd be worth doing some debugging here as well to check that this callback is being called as you'd expect.

[jobberma]

For UPDATE :

The html output was generated from the staging server because server authentication was needed outside of API auth. I removed "jwt_auth_whitelist" filter and everything is working as expected because callbacks were handled before in REST API endpoints. Thanks anyway for your help.