Authenticate via javascript fetch for REST API

  • atomicadam

    (@atomicadam)


    7 years, 8 months ago

    Any suggestions on how to authenticate the login via a fetch request. I have tried the Authenticate header, along with setting the standard access-control-allow-origin header on the server, but no luck getting to the /wp-json/wp/v2/ endpoints.

    Basic authentication via curl is working fine, $ curl –user user:password /wp-json/ but not able to get it via browser based fetch request which is at a different domain than the WordPress site.

    • This topic was modified 7 years, 8 months ago by atomicadam.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Kevin Vess

    (@kevinvess)

    7 years, 8 months ago

    Hi– thanks for using Force Login!

    Just to confirm, does your JS fetch request work when Force Login is deactivated?

    If authentication via curl is working, maybe you could try AJAX calls to your curl request?

    Or– check out this thread for some alternative options to authenticate the WP REST API on your WordPress site running Force Login:
    https://ww.wp.xz.cn/support/topic/jwt-authentication/

    Thread Starter atomicadam

    (@atomicadam)

    7 years, 8 months ago

    Hi Kevin – Thanks for writing the plugin.

    Yes, the fetch request works fine when the plugin is turned off.

    Also the same request via curl works fine. So this is most likely a CORS issues and am just hoping you might have tried this yourself.

    The fetch request looks something like this

    
fetch(endpoint, {
  headers: new Headers {
    'Authenticate': 'Basic user:password'
  },
  redirect: 'follow'
})
.then(res => res.json())
.then(json => console.log(json));

    Looking at the fetch documentation, I am now seeing I didn’t set a mode key value, I will try that. Will also follow up with more specific error messages.

    • This reply was modified 7 years, 8 months ago by atomicadam.
    Thread Starter atomicadam

    (@atomicadam)

    7 years, 8 months ago

    Most likely this is just server setup. If I can get it working I’ll post.

    Thread Starter atomicadam

    (@atomicadam)

    7 years, 8 months ago

    I was able to resolve this – though I’m not sure I’m 100% happy with always returning 200 on a OPTIONS request (the redirect to readme.html will return a 200 in the OPTIONS preflight request). But here is the fetch request and .htaccess setup that works with Force Login turned on.

    
fetch(endpoint, {
      headers: new Headers({
         'Authorization': 'Basic ' + Buffer.from('user:pass').toString('base64'),
         'Content-Type': 'application/json; charset=utf-8'
  }),
  credentials: 'include',
  mode: 'cors',
  method: 'GET',
  redirect: 'follow'
})
.then(res => res.json())
.then(json => console.log(json))

    and

    
<IfModule mod_headers.c>
Header unset Access-Control-Allow-Origin
Header always set Access-Control-Allow-Origin "http://localhost:3000"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
Header always set Access-Control-Allow-Headers "Origin,Content-Type,Accept,Authorization,X-Requested-With"
Header unset Access-Control-Allow-Credentials
Header always set Access-Control-Allow-Credentials true
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ readme.html [QSA,L]  
</IfModule>

<LimitExcept OPTIONS>
AuthType Basic
AuthName "API Service"
AuthUserFile .htpasswd
Require valid-user
</LimitExcept>

    I have not tried this with pretty URL rewrites – yet – so the endpoint looks like: http://api.site.com/?rest_route=/wp/v2/pages/2/

    • This reply was modified 7 years, 8 months ago by atomicadam.
    • This reply was modified 7 years, 8 months ago by atomicadam.
    • This reply was modified 7 years, 8 months ago by atomicadam.
    Thread Starter atomicadam

    (@atomicadam)

    7 years, 8 months ago

    actually this only works due to being logged into the WP admin so the fetch is sending along the cookies to authenticate. logging in to WP w/ only browser JS from another domain does not seem possible.

    Plugin Author Kevin Vess

    (@kevinvess)

    7 years, 7 months ago

    Hi– thanks for all your effort and detailed examples into finding a solution.

    Force Login restricts access to the REST API for authorized users only. You said your fetch request works when Force Login is deactivated.

    Have you tried one of the following code snippets to allow the WP REST API to be publicly accessible again?

    add_filter( 'rest_authentication_errors', '__return_true' );

    Or

    remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );
    Thread Starter atomicadam

    (@atomicadam)

    7 years, 7 months ago

    Thanks Kevin. I think with your plugin and an .htpasswd file at the server level, one can put in a basic authentication gateway for a detached front end. But I think for more secure connections one needs to use the API OAuth, which seems fine for user apps, but for just delivering content to a detached front end I’m thinking of just making an Express server that connects directly to the WordPress MySQL server to read data.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Authenticate via javascript fetch for REST API’ is closed to new replies.

Tags