Posted in the V2 API support area as well
https://wordpress.org/support/topic/basic-auth-not-working/

I've seen the discussion of this issue with one of the API developers and it is rather concerning that the suggestion was to write your own security protocol to go between an app and Word Press using the flexible interface. It would be nice if we had something that worked written once and used by everyone interfacing an app to Word Press

I want the user directly to be logged in based on the external basic authentication asked.
Please help

{
"id": "8PT597110X687430LKGECATA",
"create_time": "2013-06-25T21:41:28Z",
"resource_type": "authorization",
"event_type": "PAYMENT.AUTHORIZATION.CREATED",
"summary": "A payment authorization was created",
"resource": {
"id": "2DC87612EK520411B",
"create_time": "2013-06-25T21:39:15Z",
"update_time": "2013-06-25T21:39:17Z",
"state": "authorized",
"amount": {
"total": "7.47",
"currency": "USD",
"details": {
"subtotal": "7.47"
}
},
"parent_payment": "PAY-36246664YD343335CKHFA4AY",
"valid_until": "2013-07-24T21:39:15Z",
"links": [
{
"href": "https://api.sandbox.paypal.com/v1/payments/authorization/2DC87612EK520411B",
"rel": "self",
"method": "GET"
},
{
"href": "https://api.sandbox.paypal.com/v1/payments/authorization/2DC87612EK520411B/capture",
"rel": "capture",
"method": "POST"
},
{
"href": "https://api.sandbox.paypal.com/v1/payments/authorization/2DC87612EK520411B/void",
"rel": "void",
"method": "POST"
},
{
"href": "https://api.sandbox.paypal.com/v1/payments/payment/PAY-36246664YD343335CKHFA4AY",
"rel": "parent_payment",
"method": "GET"
}]
},
"links": [
{
"href": "https://api.sandbox.paypal.com/v1/notfications/webhooks-events/8PT597110X687430LKGECATA",
"rel": "self",
"method": "GET"
},
{
"href": "https://api.sandbox.paypal.com/v1/notfications/webhooks-events/8PT597110X687430LKGECATA/resend",
"rel": "resend",
"method": "POST"
}]
}

Basic Auth appears to authenticate users fine - hooray!

However, when accessing it via a browser curl tester like Rest Console or Postman, if that browser is already logged into the site (as admin for example) then the POST functions (insert post, change post etc) fail.

Not a bug per se, but a real gotcha for anyone testing the api...

Hi!
I just discovered that calling endpoints with the basic authentication generates randomly the error (fortunately the majority of calls don't generate any error)
BadMethodCallException: Call to a member function get_page_permastruct() on a non-object (NULL)
The stack trace points to /wp-includes/link-template.php(314): _get_page_link().

I'm using the v2 wp rest api plugins and seems that the origin of the error is when this plugin does wp_authenticate.

Any ideas about it?

UPDATE
The error is related to the wp_lostpassword_url function that is triggered during login. Apparently the function is called during the authentication process in order to return an url where the user could recover his own password. At this point WP isn't able to generate the permalink (may be it is too early). Does anyone know how to disable this call? I implemented a custom password recovery system by the way, so I will never need the build-in method.

I'm getting an error message when I'm attempting to update a post.

How do I know if login is successful?

I'm able to get a list of posts so the endpoint works.

I'm using the following:

	  var wp = new WPAPI({
			endpoint: apiRoot,
			username: username,
			password: credential,
			auth: true
	  });

	  var test = "posts";

	  // get posts
	  if (test=="posts") {
		log('verify endpoint')
		  wp.posts().then(function( response ) {
				log("response", response)
			}).catch(function(error) {
				log("error", error)
			})
			return;
	  }
	  
	if (test=="update") {
		var postNumber = 28;
		
		var date = new Date()
		var time = date.getTime();
		var update = wp.posts().auth().id( postNumber ).update({
			title: "Time " + time
		})
		.then(function(response){
			console.log("complete");
			console.log(response);
		})
		.catch(function(err){
			log("error:", err);
		});
	}

I've installed and activated this plugin.

{ code: 'rest_cannot_edit',
  message: 'Sorry, you are not allowed to edit this post.',
  data: { status: 401 } 
}

Attempting to create a post returns this:

{ code: 'rest_cannot_create',
  message: 'Sorry, you are not allowed to create posts as this user.',
  data: { status: 401 } 
}

I'm using the download of wpapi.js (7/6/2017) here:

http://wp-api.org/node-wpapi/installation/

FYI I'm not on node. I'm in a client that runs ES6.

Hi all,
I am on the latest wordpress version so this may be the issue, however I get an recaptcha error every time I try to use Postman to log into to upload images.

Here is the return when I use basic auth as the authorization.
{ "code": "recaptcha_error", "message": "<strong>The reCAPTCHA wasn't entered correctly. Please try it again.</strong>", "data": null }

What could I do?

I'm trying to retrieve custom fields from a post on our website - we have REST API configured, and I understand that to retrieve custom fields with REST, we have to access the page in edit mode. However, the following curl request:

curl -u "myuserid:mypassword" http://www.mywebsite.com/wp-json/posts/67?context=edit

Consistently returns the following, even though I have the Basic Auth plugin installed:

[{"code":"json_cannot_edit","message":"Sorry, you cannot edit this post"}]

The request works fine if I don't include ?context=edit. I'm not sure how to proceed in debugging this. (For further context, we're also using Advanced Custom Fields - I'm not sure if this affects our ability to use this plugin or not.

i want to create/insert new user using rest api but i am getting this type of error. also i am using auth1.0 consumer and secret in auth1.0 method in postman.
Error code:
[
{
"code": "json_user_cannot_list",
"message": "Sorry, you are not allowed to list users."
}
]

Since upgrading to 4.7.2 any post requests to the site trigger a 401 response. I have noticed others having the same issue. Has this plugin been abandoned?

{
  "code": "rest_cannot_create",
  "message": "Sorry, you are not allowed to create posts as this user.",
  "data": {
    "status": 401
  }
}

-i need to create authentication interface for my application .

-i have list of user with login and password for connect to my application with a json format.

-i found code in the internet assimilate for my idea but i can't modified for my idea.

-i need to connect to my application with login and password who has in json file

Link to my Plunker : http://plnkr.co/edit/YmKaweSPi8nip12lhAVX?p=preview
please i need help

To my surprise my Wordpress dashboard told me that this plugin needed an update... on closer inspection it looks like this plugin is the one that it's asking to update to:
https://wordpress.org/plugins/basic-auth/

This presumably has happened because the naming is the same.

Obviously I am not going to update to this plugin - but other people might be being caught out.

Word Press: 4.6.14
WP REST API: v2.0-beta14
JSON Basic Authentication (/WP-API/Basic-Auth): v0.1
Chrome: V74.0
Firefox: 66.0.3

When I use this plugin with older versions of browsers it gives me 302 response on this API https://website.com/wp-json/wp/v2/users/me??access_token=blnhszockfpzflz9v7nu312s but with the latest versions of browsers(firefox 57.0), it gives me 401 response. I have tried all the solutions mentioned in #35 and #32 none of them worked for me. I tried this API on Postman and works like a charm. Can anyone help me to figure this out, please?

hi Everybody,

I'm trying to use basic authentication with WP REST API v2 plugin (https://github.com/WP-API/WP-API). But whatever i tried the api returns "Sorry, you are not allowed to ...". Error. I'm using Postman as a client and can see it that correctly set "Authorization" header in the request.

For example if i post here: http://mywebsite.com/wp-json/wp/v2/posts/
Body:
{
"title": "Hello Updated World!",
"content_raw": "Howdy updated content.",
"date": "2013-04-01T14:00:00+10:00"
}

The response is:
{
"code": "rest_cannot_create",
"message": "Sorry, you are not allowed to create new posts.",
"data": {
"status": 401
}
}

I'd appreciate some help here.

Thanks,
Ruben

The request returns the following when base64 encoded Authorization is sent:

{
"code":"json_not_logged_in",
"message":"You are not currently logged in."
}

Basic Auth is mentioned as a way to authenticate on http://v2.wp-api.org/guide/authentication/, and it's mentioned that you should be able to discover what authentication methods are available on http://v2.wp-api.org/guide/discovery/.
So should the basic auth plugin add an entry into the index's "authentication" response property? It seems to me like it should (and I'm happy to make a pull request)

It used to work perfectly,
It suddenly stoped after upgrading to Wordpress 4.9.1
The error i get is
{"code":"rest_cannot_create","message":"Sorry, you are not allowed to create posts as this user.","data":{"status":401}}

Hi, took me a while to narrow this down but it seems that the following code causes issues where users aren't logged in properly during Create/Edit calls:

// Don't authenticate twice
if ( ! empty( $user ) ) {
    return $user;
}

I comment this out and everything starts working properly.

I tested this on multiple single site installations on several servers. It was the only way to get the Basic Auth working.

I suspect the issue might have been introduced when some conditions for multi-site recursion was addressed? #9

Hi, I have installed this plugin on my server and I am not being asked for authentication despite restarting Apache? Any help would be appreciated.

[https://digitalmedia.rocks/wp-json/](Rest query)

Thanks,

Costa

Hi,

Been using the API for several months with no issues at all. Got my site ready for release and added an SSL to it. Ever since i constantly get the 'Error: Sorry, you are not allowed to create resources. ' when trying to do anything. I have reset all of the keys, created new users but cannot get anything to work.

As per any site, i want to keep the SSL but really need to get the API working as this does all my new products and also updates my stock.

Thanks.

I have implemented this plugin. It works great for non logged in user but for logged in user used via Postman, it shows the following. Could you please help solve this. I have latest wordpress install till date.

Login Warning
There was an issue with your log in. Your user account has logged in recently from a different location.

I'm going to use this basic auth for my rest api and Unfortunately can not find any down load url from plug-in for wordpress.

Please could you please release it in order to have a composer @stable version?

Old API becomes unusable because of this plugin.

Error received: 
<div id="current-theme" class="has-screenshot">
    <br />
    <b>Fatal error</b>: Uncaught Error: Call to a member function get_page_permastruct() on null in /var/www/html/wp/wp-includes/link-template.php:357
    Stack trace: #0 /var/www/html/wp/wp-includes/link-template.php(320): _get_page_link(Object(WP_Post), false, false) #1
    /var/www/html/wp/wp-includes/link-template.php(144): get_page_link(Object(WP_Post), false, false) #2 /var/www/html/wp/wp-content/plugins/woocommerce/includes/wc-page-functions.php(72):
    get_permalink(Object(WP_Post)) #3 /var/www/html/wp/wp-content/plugins/woocommerce/includes/wc-account-functions.php(30):
    wc_get_page_permalink('myaccount') #4 /var/www/html/wp/wp-includes/class-wp-hook.php(300): wc_lostpassword_url('https://sweet21...')

Migrated from WP-API/WP-API#8.

With the arrival of the WP-API into the Wordpress core, I am surprised that even though the api is now natively available, you still need plugins to authenticate.
I tried a few plugins to use the basic-auth, but there is clearly a problem with the Wordpress default .htaccess. I wonder if they are going to change it in core?
Since this plugin last commit was two years ago, I wonder if it is still maintained and if not, what is the best option to use basic http auth? Where should we concentrate our efforts to build a Basic Auth plugin that works?
Also, I'm really curious to know if the core has plans to provide native authentication. Does anyone knows?

This is related to #27

Using wrong credentials, Wordpress automatically calls a function that generates the lost password login. Since this plugin hook an event that occurs early, the method that produces permalinks is not already available and generates an error.

Hooking the plugin after that moment make the login feature unavailable. It seems that hacking the plugin adding

$GLOBALS['wp_rewrite'] = new WP_Rewrite();

avoid this error but generates another one

Undefined property: WP_Error::$ID in /srv/www/test.com/current/wp/wp-includes/class-wp-user.php on line 165

It's a e_notice so think it could be ignored, but I am wondering if there is any way of make basic auth 100% working without errors at all. Any ideas?

Hey there,
I'am Hosting WebServers using Paralells Plesk. PHP ist executed through FastCGI.

In that case your Basic Auth doesn't work.

I will send an Merge Request in some minutes for Fixing that case up :)

No matter what I try I can't complete troubleshooter for AppMySite as it says "Your WooCommerce Consumer Key and Consumer Secret are not authorised." How does it authorise?

Hi,

Basic Auth just doesn't work for me, been stuck for days and feels like I have turned over every stone there is to find a solution.

Some info about my hosting(phpinfo();):

PHP Version 5.6.8
Server API: CGI/FastCGI

I have added the below to .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

And doing a var_dump on below shows correct values.

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']
$_SERVER['HTTP_AUTHORIZATION']

Now to the issue. I get 403 Forbidden error using both postman and postman package sending the following information to the server:

POST /wp-json/posts HTTP/1.1
Host: mysite.com
Authorization: Basic XXXXXXXXXXXXXXX
Cache-Control: no-cache
Postman-Token: 6bb61e83-0bec-afcd-9b5d-605340683730
Content-Type: application/x-www-form-urlencoded

title=Test+1&content_raw=Test+2222&status=publish

The response I get:

[
    {
        "code": "json_cannot_create",
        "message": "Sorry, you are not allowed to post on this site."
    }
]

Anyone who has any idea or can point me in the right direction?

Hello,

how to implement social login with basic authentication? is it possible to implement ?

please, any suggestion would be appreciated.

Thanks in advance.

PHP Fatal error: Call to a member function get_page_permastruct() on a non-object in wp\wp-includes\link-template.php on line 357

I installed this plugin in a SSL installed worpdress. i am getting followng response.

{
"code": "rest_no_route",
"message": "No route was found matching the URL and request method",
"data": {
"status": 404
}
}

can you help me on this

Hey guys,

Just wondering if this plugin is supposed to work with WP 4.4. Seems like it has not been updated for a while, one filter has changed and by trying to debug it I feel like it is not mean to work with the latest version of WP. I might be wrong but I want to make sure. Thanks!

I've installed and activated WP-API (v2) and Basic-Auth plugin, however, "Basic" does not appear in the list of authentication methods when querying /wp-json.

...
  "namespaces": [
    "wp/v2",
    "oembed/1.0"
  ],
  "authentication": [],
  "routes": {
    "/": {
...

If I install the OAuth plugin, the method does appear:

...
  "namespaces": [
    "wp/v2",
    "oembed/1.0"
  ],
  "authentication": {
    "oauth1": {
      "request": "http://www.crucibleradio.com/oauth1/request",
      "authorize": "http://www.crucibleradio.com/oauth1/authorize",
      "access": "http://www.crucibleradio.com/oauth1/access",
      "version": "0.1"
    }
  },
  "routes": {
    "/": {
...

For any request I make using the Basic authentication method, I get a permissions error:

{
  "code": "rest_cannot_edit",
  "message": "Sorry, you are not allowed to update this post.",
  "data": {
    "status": 401
  }
}

What causes an authentication method to become "registered" with WP-API and show up in that list? Does "Basic" appear as an item in the authentication methods in a working installation?

At the moment, WP28212 is causing Basic authentication to never kick in. We can work around this by changing the priority to > 10.

Please put the name of the plugin as it's called in the plugin directory (or a link) so it can be found and installed.

TY

P.S. I manually copied the code and uploaded and it's working (running 4.9.2.) TY
P.P.S. I added code to return if !is_ssl()

Does anything else need to happen besides activating the plugin for basic auth to be enabled? I am sending my authentication in the headers but my response is just [] when doing an &context=edit

Hello,

I am making this request with Wordpress 4.9.4:

GET http://somehostname.com/index.php?rest_route=%2Fwp%2Fv2%2Fposts&per_page=100&page=2&context=edit HTTP/1.1
Host: somehostname.com
Authorization: Basic [****base64encoded username+":"+pass *******]
Accept-Encoding: gzip, deflate
User-Agent: [some user agent name]

And I get this response:

HTTP/1.1 401 Unauthorized
Date: Tue, 13 Feb 2018 14:26:12 GMT
Server: Apache
X-Powered-By: PHP/7.1.12
X-Robots-Tag: noindex
Link: <http://somehostname.com/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Vary: Accept-Encoding,User-Agent
Content-Length: 127
Content-Type: application/json; charset=UTF-8

{"code":"rest_forbidden_context","message":"Sorry, you are not allowed to edit posts in this post type.","data":{"status":401}}

There is a problem with recursion when using multisite. The json_basic_auth_handler calls wp_authenticate, which eventually calls the function is_user_spammy, which calls get_currentuserinfo, which fires off the determine_current_user filter again.

To resolve this i've removed the filter and re-added as such:

remove_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );
$user = wp_authenticate( $username, $password );
add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );

I tried this on a multisite network with buddypress installed, seems this plugin need to be activated on individual site.

When the plugin is activated on a subdomain site of the network, curl with --user responses "incorrect_password". if network activated and never activated on the individual site, response is 'curl: (52) Empty reply from server'.

It works great on a standard wordpress site.

Does this plugin support multisite and buddypress.

Problem

http://wpackagist.org/ is modernizing how we control our plugins via composer. As such, I think it would be beneficial to allow this plugin to be downloaded from wordpress.

I'm sure this was considered but perhaps put off due to specific needs. I just want an issue revolving around this particular subject.

Discussion

I did circumvent the need by adding composer-installer to this module #19 . By doing so, we give control to the project owner to define where they want basic-auth to install to. That is a custom plugins folder.

Hi guys,

I hope you can help me with this , I set up a local copy with Bitnami with only basic plugins to GET/POST ACF fields through Basic Auth of the admin and it works just fine

I switched to an AWS server powered by Bitnami (Free tire) with everything like the local copy
I can get the values but when I try to update them I get the following

{
"code": "rest_forbidden",
"message": "Sorry, you are not allowed to do that.",
"data": {
"status": 403
}
}

any ideas? I tried issue#1 but not working

So I want to get login user info use WP-API backend and AngularJS front end (mobile app, NOT same domain). I installed WP-API Basic Authentication on my server side and test it with

curl --user muhua.hou:123123123 https://creatorup.com/wp-json/users/me
It works and return the user json object. But when I implement this with AngularJS / IonicFramework, it return status code 400. Below is how I do it in AnguarJS

function linkUser(username, password) {
var deferred = $q.defer();

    $ionicLoading.show({ template: "Loading..." });

    // Define the string
    var string = username + ":" + password;

    // Encode the String
    var encodedString = btoa(string);

    $http({method: 'GET', url: 'https://creatorup.com/wp-json/users/me', 
        headers: { 'Authorization': 'Basic ' + encodedString }
    })
    .success(function(data, status){
        $ionicLoading.hide();
        deferred.resolve(data);
    }).error(){
        console.log("Error while received data.");
        $ionicLoading.hide();
        deferred.reject();
    });
    return deferred.promise;
}

But it won't work. The error is: "XMLHttpRequest cannot load https://creatorup.com/wp-json/users/me. Invalid HTTP status code 400"

{
"code": "rest_not_logged_in",
"message": "You are not currently logged in.",
"data": {
"status": 401
}
}

I get this error when I try to access https://balancingpawsdogtraining.com/wp-json/wp/v2/users/me using Basic AUth.... help please.

Hello, I've been trying to make a basic auth for a custom route that I made but couldn't find how to do so.

Here's my code:

function AllPostsByDESCDate( $data ) {
$posts = get_posts(array(
'posts_per_page' => 10,
'paged' => $data['paged'],
'orderby' => 'post_date',
'order' => 'DESC',
'post_type' => array( 'post', 'page', 'custom-post-type' ), // custom post types
'post_status' => 'publish',
'suppress_filters' => true
));

if ( empty( $posts ) ) {
return null;
}

return $posts;
}

I can send a get http request without Basic Auth while sending an http request to wp-prefix/v2/posts requires me to Basic Auth.

register_rest_route( 'wp-prefix/v2', '/AllPostsByDESCDate/(?P[a-zA-Z0-9-]+)', array(
'methods' => 'GET',
'callback' => 'AllPostsByDESCDate'
) );

I'm using REST API TOOLBOX (https://he.wordpress.org/plugins/rest-api-toolbox/) to choose which endpoint requires an auth

Hello Everyone,
I face the issue when integrate the API to access the orders of Woo Commerce. I use the following URL but it returns the HTML code.and also find the consumer_key and consumer_secret which is need to access the any API of Woo Commerce
"http://addisonhouse.com/wp-json/wc/v2/orders"
Please let me clear this, that it is right or wrong. If it is wrong what is the correct URL I apply.

Thank You

When i am trying to activate this plugin i am getting the below error

Fatal error: Cannot redeclare json_basic_auth_handler()