Handling OPTIONS/preflight Requests in API Authentication

  • Resolved Mostafa Higazy

    (@djter3a3)


    6 months, 4 weeks ago

    Issue Description: The current implementation checks for authorization headers even when the request method is OPTIONS, which causes issues. Adding a check to return a 200 status code when the request method is OPTIONS will fix this issue. This only occurs when doing GET requests from different origins. (example: https://www.example.com requesting from api.example.com)

    Error Response for Missing Authorization Header: The error response for a missing authorization header includes the following details:

    • Status: error
    • Error: MISSING_AUTHORIZATION_HEADER
    • Code: 401
    • Error Description: Authorization header not received. Either the authorization header was not sent or it was removed by your server due to security reasons.

    Proposed Solution: Add a check in the code to return a 200 status code when the request method is OPTIONS. This will prevent the unnecessary checking for authorization headers in such cases.

    Additional Resource: A helpful image that explains the process can be found at this link.


    Solution example code (to be added to the files in (wp-content/plugins/wp-rest-api-authentication/admin/partials/flow)):

    if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'OPTIONS') {

$response = array(

'status' => 'success',

'message' => 'Preflight request accepted.',

'code' => '200',

);

wp_send_json($response, 200);

}
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author abhiladdha07

    (@abhiladdha07)

    Hi @djter3a3,

    Thanks for reaching out sharing the information.

    We have reviewed it and would like to inform you that we will include these required additions to our plugin to handle these cases.

    Thanks again for providing the details and please feel free to reach out to us if you need anything else.

    Thanks,
    Team miniOrange

    Thread Starter Mostafa Higazy

    (@djter3a3)

    Hello @abhiladdha07,

    I just saw the most recent update and it seems that the CORS issue was not resolved. While the code was updated with a fix, it seems that either the callback function is not working or something is returned before it is called.
    The function in question being: mo_api_auth_initialize_api_flow

    Update: The issue seems to be that the function is bypassing any logic/functions being executed in the plugin and falling back to WordPress default behaviour. This causes a 401 error, since default WordPress default behaviour is to only allow logged in users. This means that all ‘OPTIONS’ header requests will return 401, not just ones that are blocked by CORS to auth requirements between different domains.

    Thanks.

    Plugin Author abhiladdha07

    (@abhiladdha07)

    Hi @djter3a3,

    Thanks for pointing out. We are checking this and will update you soon.

    Thanks,
    Team miniOrange

    Plugin Author abhiladdha07

    (@abhiladdha07)

    Hi @djter3a3,

    We have looked into it and would like to inform you that this fix will be included in the very next release of the plugin.

    We appriciate your help in pointing this out.

    Thanks,
    Team miniOrange

    Plugin Author abhiladdha07

    (@abhiladdha07)

    Hi @djter3a3,

    Just wanted to inform you that we have already included this fix in the last release. Please test and let us know of you still face any issues.

    For now, we are marking this thread as resolved but please feel free to reach out if you any questions or need help.

    Thanks,
    Team miniOrange

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.