Can't authenticate with basic authentication using WP REST API 2.0 plugin

Asked 7/4, 2016 at 8:43 Answered 25/2, 2019 at 1:20

Solved php wordpress rest authentication wordpress-rest-api

I'm having an issue with basic authentication.

Trying to send a GET request with Postman (chrome plugin) using the following url: http://_MY_WEBSITE_URL_/wp-json/wp/v2/users/3

The username and the password field is filled with the site's admin user credentials.

The error I get:

{
    "code": "rest_user_cannot_view",
    "message": "Sorry, you cannot view this resource.",
    "data": {
        "status": 401
    }
}

I tried the basic authentication using wp_remote_request from another website, and with CURL too, but the results are the same every time.

The user with id 3 exists, I have checked it. If I want to list all of the users, I get only those who have posts created.

I have activated the required plugins: WP REST API, JSON Basic Authentication.

My wordpress version: 4.4.2

Skimp answered 7/4, 2016 at 8:43 Comment(0)

Finally, I figured out the solution. I had to add some new options manually to my .htaccess file, the plugin didn't make it.

The code:

# BEGIN WP BASIC Auth
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /PluginTest/
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
</IfModule>
# END WP BASIC Auth

Skimp answered 8/4, 2016 at 12:19 Comment(3)

Great! Remember to use SSL, as Basic Auth sends the user's actual login details every request. Have a look at JWT (JSON Web Tokens) for the longer term wordpress.org/plugins/jwt-authentication-for-wp-rest-api – Baedeker 19/4, 2016 at 7:18

I'm using now Oauth1 authentication, the Basic was for test only, I had the same problem with Oauth1, so this htaccess fixed that problem too. :) – Skimp 21/4, 2016 at 9:32

Cool - for mobile apps I found JWT was easier to set up, but Oauth works. I just wished the used Oauth 1a or 2 – Baedeker 21/4, 2016 at 11:29

I think issue is not for getting user data from server but this error code is for your authentication problem have this user capability or Role might not be administrator

for detail view

wp-content/plugins/rest-api/lib/endpoints/class-wp-rest-users-controller.php

public function get_item_permissions_check( $request ) {

    $id = (int) $request['id'];
    $user = get_userdata( $id );
    $types = get_post_types( array( 'public' => true ), 'names' );

    if ( empty( $id ) || empty( $user->ID ) ) {
        return new WP_Error( 'rest_user_invalid_id', __( 'Invalid resource id.' ), array( 'status' => 404 ) );
    }

    if ( get_current_user_id() === $id ) {
        return true;
    }

    if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) {
        return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this resource with edit context.' ), array( 'status' => rest_authorization_required_code() ) );
    } else if ( ! count_user_posts( $id, $types ) && ! current_user_can( 'edit_user', $id ) && ! current_user_can( 'list_users' ) ) {
        return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you cannot view this resource.' ), array( 'status' => rest_authorization_required_code() ) );
    }

    return true;
}

Robertroberta answered 7/4, 2016 at 10:10 Comment(3)

The error message is the same, with normal call, without authentication. I get this message even if I dont send my login credentials this is why I think, it could be a problem with authentication. P.S. I figured out another thing. I installed a fresh new wordpress on my localhost, installed only these 2 plugins and it's still not working if I use "localhost" BUT if I use my local ip address "127.0.0.1" the authentication works. – Skimp 7/4, 2016 at 10:50

Fresh WordPress might not have been included .htaccess so it quite obvious it raise error but for your project there may be concern in user role. – Robertroberta 7/4, 2016 at 11:20

My admin user role is "admin" so I can't change it. Everything works fine with the new wordpress, as I mentioned, if I change the url from localhost/wp_test1/wp-json/wp/v2/users/2 to 127.0.0.1/wp_test1/wp-json/wp/v2/users/2 the authentication works, and I can delete posts with my admin role user. – Skimp 7/4, 2016 at 11:31

To all those who are facing these error,remove the Basic Authentication authorization in headers and send the customer_key and customer_secret as query parameter in all case( get and post) after activating JWT. This might seem odd and insecure but it works for me.

Jackelynjackeroo answered 25/2, 2019 at 1:20 Comment(0)

Recommended topics

Hot tags