Logging into Rest API after password change (no page reload)

  • Resolved ewd910

    (@ewd910)


    4 weeks ago

    Hi, I’m having trouble with my user management screen. When a user changes their password on their profile page, they are no longer able to make any other edits (email, profile pic, etc) because they’ve been signed out of the WP API. This makes sense, because the wordpress auth cookies are based on the user’s login and password. I modified my user update function on the frontend to set the wordpress_ and wordpress_logged_in_ cookies to the new values that I pass from the backend after an update, and I can confirm that the subsequent requests use those new cookie values in the header, but I’m still getting a 403 error. I know I’m setting those cookies to the right value, because if I refresh the page the values stay the same, but the API calls start working again. I’d like to do this without a page refresh, however. So, there must be another value in the header that needs to be updated for the REST requests to pass validation. Does anyone know what that value might be? Thanks in advance

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    You did not say anything about sending a nonce with the API request. If you have not done so, it’s surely the reason you’re getting 403 responses. Please refer to https://developer.www.ads-software.com/rest-api/using-the-rest-api/authentication/

    In particular this:

    For developers making manual Ajax requests, the nonce will need to be passed with each request. The API uses nonces with the action set to wp_rest. These can then be passed to the API via the _wpnonce data parameter (either POST data or in the query for GET requests), or via the X-WP-Nonce header. If no nonce is provided the API will set the current user to 0, turning the request into an unauthenticated request, even if you’re logged into WordPress.

    Thread Starter ewd910

    (@ewd910)

    Yes, that was it, thanks. For anyone else with this issue, the nonce wasn’t updating after the password change, the $_COOKIE var has to be updated directly rather than relying on the WordPress implementation. I found this stackoverflow post useful –
    https://wordpress.stackexchange.com/questions/377570/identical-wp-rest-nonce-returned-from-rest-api

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.