[wp-trac] [WordPress Trac] #39500: REST API 401 Due to Logged Out User Cookie Regardless of Authentication Data

WordPress Trac noreply at wordpress.org
Fri Jan 6 08:35:58 UTC 2017

#39500: REST API 401 Due to Logged Out User Cookie Regardless of Authentication
 Reporter:  dominic_ks    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  4.7
 Severity:  normal        |   Keywords:
  Focuses:  rest-api      |

 I'm reporting this as a bug as I cannot see anywhere in the docs that this
 is intended / expected behaviour:

 When sending requests to the WordPress REST API that include both a
 WordPress cookie AND OAuth credentials, authentication is based on the
 WordPress cookie and the OAuth credentials are ignored.

 This results in
  - Potentially unexpected access if the user is logged in
  - Requests rejected with "401: User is not logged in" error response
 regardless of valid OAuth credentials

 I am currently using WordPress 4.7 with the WP REST API - OAuth 1.0a
 Server plugin enabled.

 I came up against an issue while developing an OAuth1.0 flow using
 javascript intended for use when creating Phonegap applications.

 The issue arose once I had actually managed to fully authenticate a user,
 I was then unable to make a simple GET request to via the Phonegap test
 app, even though copying and pasting the very same request into a browser
 straight after receiving 401: User is not logged in, the request worked
 just fine, e.g.


 After much investigation, I found that the Phonegap test app was sending a
 WordPress cookie with the $.ajax request where the browser was not.

 I did look into whether I could prevent this cookie being sent to no

 Finally, I found that if I generated the request as normal (including with
 my-domain.co.uk) but then actually send the request to http://cookieless-
 my-domain.co.uk/.... then the request was successful.

 For the record, generating the request to http://cookieless-my-
 domain.co.uk/.... up front resulted in signature errors.

 My assumption is that the cookie has been set here when using the Phonegap
 InAppBrowser plugin to complete step 2 of the OAuth process, or, happens
 to be present in a browser on my phone.

 Based on my experience here, it seems that it can't be predicted whether a
 client or device will have or send a cookie. If a request is sent with
 valid OAuth credentials I would suggest these should be prioritised for
 processing the request.

Ticket URL: <https://core.trac.wordpress.org/ticket/39500>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list