CORS error for all API calls after authenticating using JWT

Hi @2f4u

Thanks for using the plugin!

I have to start by asking the obvious… have you tried this without Disable REST API running? What you are describing sounds entirely like issues with their plugin not properly enabling CORS support using that JWT_AUTH_CORS_ENABLE variable. If Disable REST API was blocking you, you’d see the custom messaging indicating that.

I’d recommend starting with a post to their support area https://www.ads-software.com/support/plugin/jwt-authentication-for-wp-rest-api/ But if there’s something I can do on this side based on their recommendations, or if I’m missing something, I’m happy to take another look! Good luck

Hi @dmchale ,

Thanks for getting back to me so quickly, I apreciate that a lot!

Yes, I tried disabling the Disable REST API plugin (obviously ;)) and all REST API’s give proper answers when doing that. For that reason I’m posting my question to your support area first.

To make sure the Disable REST API plugin is not the one giving me hard time let me ask you this. Is this plugin handling CORS in any way at all?

Cheers!

Gotta ask the obvious questions first, always, right? ?? Thanks for understanding.

It’s odd, because no we don’t do anything to CORS at all. All of the primary logic happens at the rest_authentication_errors hook, so nothing is happening that should affect CORS based on my understanding of the permissions needed to update in order to add CORS support to REST requests. Any example I can find online about enabling CORS for the REST API seems to be mucking with the rest_pre_serve_request filter.

The logic in this plugin simply checks your allow/deny lists and pattern matches based on the name of the endpoint requested. If the user is allowed to view it based on their user role, we pass through the permissions – meaning we only get in the way of the request if the DRA settings say to block the request. Otherwise requests should be allowed to follow their “default behavior” as if DRA wasn’t even installed, whatever “default behavior” means for the endpoint in question.

As I said before, I’m still happy to look into a patch if there is anything I can do which is causing some kind of conflict, but at this point I’m not seeing what DRA could be doing to be the cause of your issue.

Thanks for your elaborate answer. It’s good to know what the logic is inside the DRA plugin. I guess I should have a good look at the JWT implementation and ask for support from their side.

I’ve found some time to test with another JWT plugin. This learned me that CORS are not the issue here. The status code returned is 401 (not authenticated).

This is still the case for me whenever I’m using JWT for authentication. With both plugins I get the same results when the DRA plugin is activated. I’m authenticated as administrator, so all REST endpoints should be available. BUt somehow I get a 401 for everyone of them. I’m using the Bearer: token header for authentication.

Any ideas on why this would happen?

I have some theories but don’t have a concrete answer, no. I won’t have the ability to look into things this weekend likely, but will definitely circle back and try to do some testing myself to see what I can dig up. Thanks for your patience!

Hi again @2f4u

So, I did some testing this evening and I unfortunately cannot replicate your issue. I hope that if I explain the steps I went through, perhaps you can indicate somewhere I went off base. Apologies in advance for the wall of text.

I first went to the wp.org repository and downloaded the first plugin you had mentioned when starting this conversation https://www.ads-software.com/plugins/jwt-authentication-for-wp-rest-api/ I’m running everything on my own machine using Local by WPEngine

Per their documentation, I first added this to my .htaccess file

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

Then I added these to my wp-config.php file

define('JWT_AUTH_SECRET_KEY', '12345');
define('JWT_AUTH_CORS_ENABLE', true);

I created a quick REST endpoint which simply replies with “Hello World”, which on my test site lives at /wp-json/binarytemplar/v1/test. I then went into the Disable REST API settings and ensured that Unauthenticated users do NOT have permission to this endpoint but Contributors do. Testing in a browser, I was able to confirm that these settings were working as expected for both user roles.

I then fired up Postman to test some remote posts to the JWT endpoints. First I created one which does a POST to the /wp-json/jwt-auth/v1/token route with my contributor’s username/password. This is my response

{
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvZGlzYWJsZS1yZXN0LWFwaS5sb2NhbCIsImlhdCI6MTYzNDYwNjEwMCwibmJmIjoxNjM0NjA2MTAwLCJleHAiOjE2MzUyMTA5MDAsImRhdGEiOnsidXNlciI6eyJpZCI6IjIifX19.0_Kmhh0YmS6pwqFSvxdjyi9WTZyeRpxk3O6lKDZinsQ",
    "user_email": "[email protected]",
    "user_nicename": "cont",
    "user_display_name": "cont"
}

Using that token, I created a second test in Postman which does a GET to /wp-json/binarytemplar/v1/test but passes the extra header as specified. With this token passed in the headers, I get a correct response and see Hello World reply from the route.
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvZGlzYWJsZS1yZXN0LWFwaS5sb2NhbCIsImlhdCI6MTYzNDYwNjEwMCwibmJmIjoxNjM0NjA2MTAwLCJleHAiOjE2MzUyMTA5MDAsImRhdGEiOnsidXNlciI6eyJpZCI6IjIifX19.0_Kmhh0YmS6pwqFSvxdjyi9WTZyeRpxk3O6lKDZinsQ

If I do NOT pass this token (eg: attempt to access as an Unauthenticated user) I get the DRA blocking error which is expected

{
    "code": "rest_cannot_access",
    "message": "DRA: Only authenticated users can access the REST API.",
    "data": {
        "status": 401
    }
}

Can you confirm if any of this doesn’t line up with what you are doing on your end? Are you able to see any more details about the 401 you are getting in response?

Cheers!

Hi @2f4u

I’m going to mark this as “resolved” since I haven’t heard back in 2 months. I hope things are working well for you, but please feel free to make another post if you have any other issues!

Hi @dmchale

Sorry for not responding anymore. I did not have any luck using your plugin. I did however make some changes to the set of plugins and now use the REST API succesfully. I will try your plugin again someday ??

Thanks again for your patience and for helping me out.

Cheers

• This reply was modified 2 years, 11 months ago by 2f4u.