Hello Ali,
I noticed an issue in the JSON_API_User_Controller class related to the $custom_fields variable.
Currently, on line 731, the code looks like this:
if(is_array($custom_fields)){
foreach ($custom_fields as $field => $value) {
if(in_array($field, $disallowed) ){
$json_api->error("This meta_key '".$field."' is not allowed.");
}
if ($field == 'cookie')
continue;
if (is_array($value)) {
$values = array_map('trim', $values);
} else {
$values = trim($value);
}
if(!in_array($field, $disallowed) ){
foreach($disallowed as $d){
$field = str_replace($d, 'disallowed', $field);
}
$result[$field]['updated'] = update_user_meta($user_id, $field, $values);
}
}
}However, if the $custom_fields variable is not initialized, an error occurs:
Undefined variable $custom_fields in C:\wordpress\wp-content\plugins\json-api-user\controllers\User.php:731
To prevent this, I suggest adding a check for the existence of the $custom_fields variable. The modified code would look like this:
if(!empty($custom_fields) && is_array($custom_fields)){
foreach ($custom_fields as $field => $value) {
if(in_array($field, $disallowed) ){
$json_api->error("This meta_key '".$field."' is not allowed.");
}
if ($field == 'cookie')
continue;
if (is_array($value)) {
$values = array_map('trim', $values);
} else {
$values = trim($value);
}
if(!in_array($field, $disallowed) ){
foreach($disallowed as $d){
$field = str_replace($d, 'disallowed', $field);
}
$result[$field]['updated'] = update_user_meta($user_id, $field, $values);
}
}
}
A similar adjustment is also needed on line 198:
if (!empty($custom_fields) && is_array($custom_fields)) {Please consider implementing these changes to avoid potential errors.
Thank you!
]]>When I use javascript to call API (using fetch) I saw CORS error. It happened when I activated JSON API Plugin, that is required.
When I deactivate JSON API Plugin, no CORS error happen to whole site
]]>Hi!
I’m trying to register a user via “/api/user/register/?username=<username>&email=<email>&user_pass=<password>&nonce=<nonce>” but I’m getting an error:
{
"status": "error",
"error": "Invalid access, unverifiable 'nonce' value. Use the 'get_nonce' Core API method. "
}Although I’m sending the request after getting the nonce from “/api/get_nonce/?controller=user&method=register”
ENVIRONMENT
No other plugins are active.
]]>Hello Ali.
Could you change a few lines of code in the JSON_API_User_Controller class where it concerns avatars.
When calling the get_userinfo(), generate_auth_cookie(), get_currentuserinfo() methods in the array, the $avatar[1] variable is returned.
We do not use these avatars in our application. These avatars cause an error:
[error][ErrorException:8] ErrorException: Undefined offset: 1 in C:\wordpress\wp-content\plugins\json-api-user\controllers\User.php:467
I suggest changing this code like this:
"avatar" => isset($avatar[1]) ? $avatar[1] : NULL,
or
"avatar" => $avatar[1] ?? NULL,
or
$avatar[1] = NULL;
preg_match('|src="(.+?)"|', get_avatar( $user->ID, 32 ), $avatar);
return array(
“cookie” => $cookie,
“cookie_admin” => $cookie_admin,
“cookie_name” => LOGGED_IN_COOKIE,
“user” => array(
“id” => $user->ID,
“username” => $user->user_login,
“nicename” => $user->user_nicename,
“email” => $user->user_email,
“url” => $user->user_url,
“registered” => $user->user_registered,
“displayname” => $user->display_name,
“firstname” => $user->user_firstname,
“lastname” => $user->last_name,
“nickname” => $user->nickname,
“description” => $user->user_description,
“capabilities” => $user->wp_capabilities,
“avatar” => ==> See Above <===
);
Thank you for your attention!
]]>Can someone explains the procedure of nonce?
Is it changes time to time? if yes how much time?
Or it will be same every time?
I have called the api to get nonce and send it in register api, but giving me error of “Invalid access, unverifiable ‘nonce’ value. Use the ‘get_nonce’ Core API method.”
I have got many nonce from postman but some of them works like 2 nonce are working with register api.
Please help someone.
Is there any documentation for each API endpoint in regards to parameters, headers, response? How to get these details about the API?
For an instance, I want to create a POST using create_post end point but I’m not aware of the parameters to be passed to this end point, headers to be set and the possible response.
Can someone please help me in regards to this?
]]>I get an error:
Unknown controller ‘user’.
When calling the register:
https://sp-admin-cms.local/api/user/register/?username=unit%2Btest%40jpmedia.com.au&email=unit%2Btest%40jpmedia.com.au&user_pass=XXXX&nonce=XXXX&insecure=cool
I set a break point in json-api-user.php and see pimJsonApiController is called.
I set a break point in setUserControllerPath, but it does not seem to get called. I suspect this is the problem.
I’ve installed the plugin on my website and when I tried to access the login API, it returns success irrespective of whether password is correct or not.
WordPress version: 6.0.3
PHP Version: 7.4.33
Please suggest how to resolve this issue?
]]>I bought the plugin yesterday because it was used in an older version for an installation of a client with an app and the old version did not work in a new installation.
However, I have now encountered a problem with the newest version of plugin.
In the UserPlus.php (2022-08-01) in line 68 the variable $_REQUEST is overwritten:
$_REQUEST = $data_array;
This causes mixed parameters in the body and URL to not be recognized correctly. So as soon as parameters are passed in both the body and the URL, an error occurs.
Possibly this is due to a change in the PHP version (I use 8.1)?
Examples:
Request URL: https://xxx.com/api/userplus/generate_auth_cookie/?key=1234567890&data_format=json
Data in Body: {
"username": "theusername",
"password": "password"
}
ends in an error. parameter key is not recognized
I have now replaced this line with
$_REQUEST = array_merge($_GET, $data_array);
and it seems to work now.
Could the developer Ali Qureshi please take a look at this and fix it?sorry double post
]]>I’m attempting to register a new user using Postman..
/api/user/register/?username=john&[email protected]&nonce=be66a73631&display_name=John
After generating the nonce, I send the above POST, and the returning value in the console is:
{“status”:”error”,”msg”:”account duplication”}
I change values to be unique and it is the same error. Though I note a 403 status is returned.
any one else have this issue or can point me in the right direction?
]]>I try to make a call for registration and I get this error back.
Invalid access, unverifiable 'nonce' value. Use the 'get_nonce' Core API method.
Any solution?
hello. when I try to get something for rest api I get error – Unknown controller ‘user’
]]>I have a recaptcha plugin from bestwebsoft. but when I activated the plugin, i can’t login with generate_auth_cookie. It keeps return invalid username/email or password.
Is this json api user was not supported with recaptcha plugin ?
]]>Hi! Is it possible to change response msg ? (for example this message: “Link for password reset has been emailed to you. Please check your email.”)
Or maybe it can be localized?
Hope that someone help me)
I’ve just started using this plugin as I want to be able to register user accounts from a third party system.
As I understand it, I call /api/get_nonce/?controller=user&method=register to get a nonce and then /api/user/register/?nonce=12345&username…… etc to create a user.
How secure is this? If I’m able to retrieve a nonce and then use it to create a user, where is the layer of security to stop a hacker doing the same thing?
Sorry if I’ve misunderstood or missed something, but the nonce almost seems irrelevant unless there is another layer of security I need to include?
]]>Hello,
I’ve installed both plugins, sent request to get the nonce (it returned 200 OK)
When I try to send POST to https://site.com/api/user/generate_auth_cookie/?username=john&password=PASSWORD-HERE it returns 200 OK with
{
“status”: “error”,
“error”: “Unknown controller ‘user’.”
}
What can be wrong and how I could fix that?
]]>I am a complete newbie here but I was wondering if you could help me understand something: Can this be used to sync wordpress users with an external crm system?
]]>I am developing a mobile app that is to connect to a LearnDash site in WordPress to obtain some user-specific data. What I found out is that LearnDash provides a REST API at https://<site>/wp-json/ldlms/v1/, and I successfully queried the public endpoints.
But when I try to access end points that require authentication, I get a 401 status. My expectation was that I could obtain a cookie via your plugin, but I keep getting these 401 errors. Manually testing the cookie from your plugin on the “normal” site using Chrome developer tools showed that the cookie itself is ok.
My suspicion is that I also need a “nonce”, but I don’t know what “controller” and “method” I should provide to your API to obtain a valid nonce for LearnDash.
Is there a way to query this from the installed site, or reverse-engineer this from the LearnDash code?
Any help you can provide me is highly appreciated, since I am quite stuck. ??
]]>Greetings,
While testing, I tried to get a password reset link via /retrieve_password.
However, I get the email but no password reset link.
]]>Will this work with JSON API plugin Version 1.1.1 as it’s base? (Last Dan Phiffer version).
Will this overwrite/change existing custom endpoints? Will existing custom endpoints continue to work or does it introduce new variables/methods you have to pass once activated?
]]>this plugin work with wp JSON Api pluign, but this plugin is in old version and creating issue as am not able to edit anything in text editor
]]>Hello, have you applied any XSS injection prevention rules? Say, in registration and/or in other API calls, will it cater for any exploits with malicious content? Thanks.
]]>Hello, I am trying to use your plugin. I am creating a POST request for user registration. I am sending user details as JSON array. Now the plugin response with ‘You must include ‘username’ var in your request’. The only way I can get around this is by sending the details in query parameter (username, display_name). Then it works even if I send a blank body. So essentially it is a GET request URL, but getting send with POST method. Is that right? Thanks.
]]>Hello. I have a question because you mention this in the plugin FAQ: “Always use POST method and not GET to submit data, following url examples are only for demonstration purposes” but I’m trying it with the API and if I don’t set the parameters in URL, I’m getting an error. How can I pass these parameters with POST?
]]>As I’m creating a React Native android app how can I accept incoming POST data, assumed to be in JSON notation. $input = file_get_contents(‘php://input’, 1000000);
]]>Hi,
when i pass a cookie as paramater in an http url request, my dev environment (Xcode-Swift) tell me to set with percent encoded characters all character that are considered as ‘unsafe character’ in the url string I want to call.
So when i call the http request, the ‘|’ character of the cookie is encoded and we have %7C that replace this character. The problem is that the plugin believe that the cookie passed is not the same as the original. How to decode that character in the plugin ?
]]>Hello,
If the user already exists then it retrieves a status 404 not found. Please review this -> https://prntscr.com/q0xvxp
Response :
{
"status": "error",
"error": "E-mail address is already in use."
}That same issue we also facing during login time.
This one is your plugin bug. Instead of 404 status, we require status 200.
Please help me on how to fix that.
Thank you
]]>Hi,
How can I alter API responses(Login, register…etc) without changing the plugin code?
Where can I see all of the url examples for json api user?
I see the 15 url examples located at: https://www.ads-software.com/plugins/json-api-user/
I would like to see all of the examples for the json api user plugin to understand how to use them all.
Thank you.
]]>