[wp-trac] [WordPress Trac] #52082: Application Passwords issue with wordpress_logged_in cookie

WordPress Trac noreply at wordpress.org
Tue Dec 15 12:39:09 UTC 2020 

#52082: Application Passwords issue with wordpress_logged_in cookie
-----------------------------------+-----------------------------
 Reporter:  SeBsZ                  |      Owner:  (none)
     Type:  defect (bug)           |     Status:  new
 Priority:  normal                 |  Milestone:  Awaiting Review
Component:  Application Passwords  |    Version:  5.6
 Severity:  normal                 |   Keywords:
  Focuses:                         |
-----------------------------------+-----------------------------
 I've been trying to debug this all day. I found that when making a REST
 API request with just the Authorization header, everything seems to work
 perfectly. However, if I happen to be using a browser that was logged into
 wp-admin and then make a REST API request (using Javascript for example),
 cookies are transmitted along with the request.

 In my case, the presence of the
 wordpress_logged_in_xxxxxxxxxxxxxxxxx=xxxxxxxxx cookie causes
 authentication to fail and it results in a HTTP 401 'rest_forbidden' ->
 'Sorry, you are not allowed to  do that.' response.


 {{{
 {
     "code": "rest_forbidden",
     "message": "Sorry, you are not allowed to do that.",
     "data": {
         "status": 401
     }
 }
 }}}

 I've traced this to line 437 in class-wp-rest-server.php:
 {{{#!php
 <?php
 $result = $this->check_authentication();
 }}}

 which causes the $current_user global to be set to 0. Before this code
 runs, it is important to note that $current_user has the correct ID of the
 cookie logged in user.

 Interestingly, I've found that if I set the $current_user global to null
 in my own register_rest_route 'permission_callback', then it works fine.
 It seems to re-authenticate and correctly use the basic auth credentials.

 I am not familiar enough with this code to be able to write a patch for
 this, I hope someone can tell me this is indeed a bug or desired behavior?

 I feel that a valid wordpress_logged_in cookie should allow the REST
 authentication to succeed instead of fail. In addition, the presence of
 this cookie should not cause the API request to fail if there is a valid
 basic auth header.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52082>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list