Rest api error invalid_username

Hi @mishaml

To avoid misunderstandings the first thing that I need to mention is that, our REST API can not handle the login or the registration process itself. As we mention in the documentation of our REST API:

• https://nextendweb.com/nextend-social-login-docs/nextend-social-login-rest-api/

it can help you only in figuring out if the social media account ( associated with the access token that you posted ) is linked to an existing WordPress account of your site or not. If it is already linked, then our REST API will return the ID of the WordPress account.

We checked this functionality on your site, by posting a Google access token to the REST API endpoint of our Google provider and it returned the User ID just fine. Can you reproduce the problem right now? ( Make sure you test it a valid access token! )

If you can, then normally this “invalid_username” error code should not be triggered on our REST API at all, as we have nothing to do with usernames at this point. So I find it possible that you have a third party plugin, or code that interfere with REST API calls. To figure this out you should:

• disable all cache ( including server cache )
• disable all WordPress plugins except Nextend Social Login
• change your theme to a WordPress default one like Twenty Twenty-Four
• try posting the access token to the Google endpoint of the provider, using Postman, like you saw in the documentation:
  https://nextendweb.com/nextend-social-login-docs/nextend-social-login-rest-api/
• if the problem no longer occurs, that confirms that you have a third party that interferes with REST API calls. By enabling the plugins one by one ( or in small groups ) and sending the POST request again each time, you could find the plugin that causes the problem. ( Just please note that, access tokens expire after some time! If it expires during the conflict test make sure you request a new one and continue the testing with the new one! )
  

Best regards,
Laszlo.

Are there any errors in my postman code comparing to your version?

@mishaml

Based on what I see in your screenshot, it seems you configured the fields in Postman properly.

But I don’t really see the complete access token, so feel free to get in touch with us over the ticket system:

• https://nextendweb.com/contact-us/nextend-social-login-support/

and send us the content of the access_token value field, then we will inspect it if its format is correct or not, also we will give it a try as well.

Important note:
Make sure you don’t share your access token on this public forum, as the access token can be used for making certain REST API requests on behalf of the account that the access token is associated with!

Do you have a code to generate access token, because it seems that in order to test it I should set up full integration with google

Hi @mishaml

One access token that you can always trust is the one that Nextend Social Login requests from the provider. So before you implement the integration, you can do the testing with an access token that we requested earlier. However please note that, access tokens tend to expire after some time, so you might need to request a new one later as you do the debugging.

Here you can find a step by step guide of how you could inspect one of the access token values:

1. Open this file e.g. via FTP or a Filemanager: wp-content\plugins\nextend-facebook-connect\includes\oauth2.php
2. find this code: $this->access_token_data = $accessTokenData; ( it is located inside the authenticate() method around line 150 )
3. add this code after it: echo wp_json_encode($this->access_token_data);exit;
4. try to connect with the Google provider again. ( The login will die with a blank page with your access token printed out )
5. copy this access token and test it with the REST API test form, that our documentation mentions:
   https://nextendweb.com/nextend-social-login-docs/nextend-social-login-rest-api/#error_msg
6. if this works fine, then compare the structure of the working access token with the wrong access token, that you tried to use earlier
7. Finally, don’t forget to remove the custom code that writes out the access token, once you finished the debugging! Since if your site is live, then it will make the login fail for the existing users, too.

Best regards,
Laszlo.

Thank you, this way I can get correct access token. I found that this error occurs when I use Woocommerce plugin. Without it api returns user id. I’ve installed pro addon, so integration with Woocommerce should work.

@mishaml

We haven’t received any feedback about such conflicts with WooCommerce. But just in case, I installed and activated the latest WooCommerce on my local test site, and our REST API returned the user ID just fine, even if WooCommerce was enabled.

So if your problem occurs only if WooCommerce is enabled, then I find it possible that your problem is not directly connected to WooCommerce, but maybe you have a third party plugin with a wrong REST API implementation, and maybe that plugin depends on WooCommerce, so when you have WooCommerce disabled, they won’t run their codes either. You can confirm this by:

• changing your theme to a WordPress default one ( e.g. Twenty Twenty-Four)
• then disable all plugins expect Nextend Social Login
• then post a valid access token to our REST API endpoint and see if the problem still occurs
• if it doesn’t then enable WooCommerce and post it again and check if the problem will occur or not
• if it won’t, then you can start enabling the rest of your plugins one by one, post the access token and repeat this until you find the plugin that causes a REST API error. The plugin that causes the problem, most likely have its codes implemented wrongly, so they run their codes in other plugin’s REST API endpoints, too.

Best regards,
Laszlo.

I found that this error is triggered in wp-includes/user.php. To bypass it I should set filter application_password_is_api_request to false. I’m not sure about why this error occur in my case, however it would be great to implement this fix in plugin in case someone also catches it.

Hi @mishaml

I am glad you managed to find a solution, however I think this approach just hides the real problem, since if you send a request to the REST API endpoint of one of our providers, then that is still an API request and by setting the “application_password_is_api_request” filter to “false”, you basically tell WordPress that it is not an API request, so it will ignore some of the security measures, that it does right now.

What is strange to me is that, by default WordPress fires the “application_password_is_api_request” filter only in the wp_authenticate_application_password() function:

• https://developer.www.ads-software.com/reference/functions/wp_authenticate_application_password/

and by default this function is used at 2 places only:

• it is hooked to the “authenticate” filter ( However we don’t use this filter at the time when you post the access token to our REST API endpoint, since as I stated earlier at this point we don’t log the user in, we just check if there is a user with the access token or not. We fire the “authenticate” filter only when we actually log the user in via social login )
• and it is also used within the wp_validate_application_password() function – which is hooked to the determine_current_user filter –

Based on this, I think your issue comes from that, something – maybe a security plugin – protects your REST API, makes it available only for the authorized requests:

• https://make.www.ads-software.com/core/2020/11/05/application-passwords-integration-guide/

The way you could find the place where the filter gets triggered from is writing out its callstack, something like this:

    add_filter('application_password_is_api_request', function($is_api_request){
        echo "<pre>";
        debug_print_backtrace();
        exit;
    });

Then you should post the access token to the REST API endpoint of our provider, then the page should die and write out the callstack of the application_password_is_api_request filter. If you inspect that, it might tell you which plugin fires it and where.

Important note:

You should probably do this modification over FTP or over the file manager of your server host, since the code above will make all pages die – with a blank page and the call stack printed – where the filter is applied, so if it is used other unexpected places too, then it could lock you out of your site. But with FTP you can remove the code once you are done with the debugging.

Best regards,
Laszlo.

#0 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp-hook.php(324): fix_nextend_error(true)
#1 /home/cp538923/sushijo.cz/dev/wp-includes/plugin.php(205): WP_Hook->apply_filters(true, Array)
#2 /home/cp538923/sushijo.cz/dev/wp-includes/user.php(366): apply_filters('application_pas...', true)
#3 /home/cp538923/sushijo.cz/dev/wp-includes/user.php(504): wp_authenticate_application_password(NULL, 'ck_c060bcf330ff...', 'cs_c3a66547734c...')
#4 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp-hook.php(324): wp_validate_application_password(false)
#5 /home/cp538923/sushijo.cz/dev/wp-includes/plugin.php(205): WP_Hook->apply_filters(false, Array)
#6 /home/cp538923/sushijo.cz/dev/wp-includes/user.php(3668): apply_filters('determine_curre...', false)
#7 /home/cp538923/sushijo.cz/dev/wp-includes/pluggable.php(70): _wp_get_current_user()
#8 /home/cp538923/sushijo.cz/dev/wp-includes/user.php(658): wp_get_current_user()
#9 /home/cp538923/sushijo.cz/dev/wp-content/plugins/woocommerce/includes/class-wc-rest-authentication.php(125): get_current_user_id()
#10 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp-hook.php(324): WC_REST_Authentication->authentication_fallback(NULL)
#11 /home/cp538923/sushijo.cz/dev/wp-includes/plugin.php(205): WP_Hook->apply_filters(NULL, Array)
#12 /home/cp538923/sushijo.cz/dev/wp-includes/rest-api/class-wp-rest-server.php(197): apply_filters('rest_authentica...', NULL)
#13 /home/cp538923/sushijo.cz/dev/wp-includes/rest-api/class-wp-rest-server.php(436): WP_REST_Server->check_authentication()
#14 /home/cp538923/sushijo.cz/dev/wp-includes/rest-api.php(420): WP_REST_Server->serve_request('/nextend-social...')
#15 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp-hook.php(324): rest_api_loaded(Object(WP))
#16 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array)
#17 /home/cp538923/sushijo.cz/dev/wp-includes/plugin.php(565): WP_Hook->do_action(Array)
#18 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp.php(418): do_action_ref_array('parse_request', Array)
#19 /home/cp538923/sushijo.cz/dev/wp-includes/class-wp.php(813): WP->parse_request('')
#20 /home/cp538923/sushijo.cz/dev/wp-includes/functions.php(1336): WP->main('')
#21 /home/cp538923/sushijo.cz/dev/wp-blog-header.php(16): wp()
#22 /home/cp538923/sushijo.cz/dev/index.php(17): require('/home/cp538923/...')

I’ve tried to print the backtrace, and all I see is that woocommerce is making it’s authentification for rest route, not any signs of another plugins

Finally, I also try your example code https://gist.github.com/nextendweb-laszlo/8753826f1fdc1fae84342d3b957b18d3#file-nsl-register-link-skeleton-php to implement rest api login on my site. And when I turn off Woocommercee this code seems to work, otherwise it’s not working as expected and returns an error. So I think that Woocommerce somehow interferes with Nextend Social Login

@mishaml

I haven’t managed to reproduce this problem on my test site, but I checked the codes of WooCommerce, and it seems their WC_REST_Authentication class hooks a function:

add_filter( 'rest_authentication_errors', array( $this, 'authentication_fallback' ) );


public function authentication_fallback( $error ) {
    if ( ! empty( $error ) ) {
        // Another plugin has already declared a failure.
        return $error;
    }
    if ( empty( $this->error ) && empty( $this->auth_method ) && empty( $this->user ) && 0 === get_current_user_id() ) {
        // Authentication hasn't occurred during determine_current_user, so check auth.
        $user_id = $this->authenticate( false );
        if ( $user_id ) {
            wp_set_current_user( $user_id );
            return true;
        }
    }
    return $error;
}

that they run without any conditions that would make it specific to their own endpoints. This way they will run their codes on other plugin’s REST API endpoints. The reason your get to their authentication specific error is because they run the get_current_user_id() function here as well, so the determine_current_user?filter will be fired at a later point.

Could you check please if you also experience the earlier mentioned error message from WooCommerce, if you post the access_token of a social media account which is already linked to an existing WordPress account on your site?

If the problem won’t occur in that case, then I find it possible that this could have a connection to that, our get_user REST API returns NULL value when we didn’t manage to find any users with the access token. If that is the case, then what you could try is modifying the get_user() method in this file:

• /wp-content/plugins/nextend-facebook-connect/NSL/REST.php

so it will look like this:

    public function get_user($request) {

        $provider = NextendSocialLogin::$enabledProviders[$request['provider']];
        try {
            $user = $provider->findUserByAccessToken($request['access_token']);
        } catch (Exception $e) {
            return new WP_Error('error', $e->getMessage());
        }

        if ($user === null) {
            return new WP_Error( 'user_does_not_exist', __( 'That user does not exist.' ) );
        }

        return $user;
    }

basically this is the extra code that you need to add to it before the return statement:

        if ($user === null) {
            return new WP_Error( 'user_does_not_exist', __( 'That user does not exist.' ) );
        }

This way, we would throw an error with the “user_does_not_exist” error code, if no user exists with the access token.

Please let me know if this worked, so we will add this modifications to our own codes, too. So you won’t lose the changes once you update the plugin.