401 Unauthorized on api calls

  • Resolved spinksys

    (@spinksys)


    7 months ago

    Hi, we recently updated our version from 6.0.5 -> 6.4.2, and since then I noticed an issue. If I’m logged in as an admin to our WordPress instance, everything generally works fine. If I’m not logged in, the API call is blocked with a 401 Unauthorized error. I assume that means we aren’t getting statu

    Any ideas what that’s about?

    Here’s the debug data if that helps:

    Plugin Configuration

Performance Nag:?Dismissed

Log Limit:?No

Log Views From:?Everyone

Data Caching:?Yes, 1 hour

Data Sampling:?No

External object cache:?Yes

WPP_CACHE_VIEWS:?No
System Info

PHP version:?8.1.28

PHP extensions:?Core, date, libxml, pcre, sqlite3, zlib, calendar, ctype, dom, fileinfo, filter, gmp, hash, iconv, json, pcntl, SPL, session, openssl, posix, Reflection, standard, SimpleXML, sockets, sodium, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, cgi-fcgi, apcu, bcmath, curl, mbstring, ftp, gd, gmagick, gnupg, igbinary, intl, exif, mcrypt, memcache, memcached, mysqli, newrelic, Phar, PDO, pdo_mysql, pdo_sqlite, shmop, sysvsem, sysvshm, soap, ssh2, timezonedb, zip, Zend OPcache

Database version:?8.0.28

InnoDB availability:?DEFAULT

WordPress version:?6.5.2

Multisite:?No

Active plugins:?Advanced Custom Fields PRO 6.2.9, Algolia Custom Integration 1.0.0, Category Order and Taxonomy Terms Order 1.7.4, Maintenance Mode 0.2.2, Weglot Translate 4.2.6, WordPress Popular Posts 6.4.2, Yoast Duplicate Post 4.5, Yoast SEO 20.4, Yoast SEO Premium 20.4

Theme:?() by
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Hector Cabrera

    (@hcabrera)

    Hey @spinksys,

    That’s usually caused either by overly greedy page caching rules and/or a security system somewhere blocking REST API requests from non-authenticated users, hence the 401 Unauthorized error message.

    Your active plugins list doesn’t show anything that sounds related to this (assuming these are the plugins that were enabled at the time you saw this error) so either you have some custom code in your theme’s functions.php file that’s doing this (unlikely IMO) or your hosting provider is the one to blame (eg. they offer a built-in/in-house page caching system or something like that, a security/firewall thingy that restricts public access to the REST API, etc.)

    Thread Starter spinksys

    (@spinksys)

    Thanks for the quick reply @hcabrera !

    Did anything change with the API between /v1 and /v2 that might cause this? Or, let me explain. So we do have a firewall that blocks traffic, and our engineering team has created a mechanism for specific urls to get through (which they did for the /v1 API). When I notified them that the URL changed from /v1 to /v2, they updated this mechanism and the error changed from a blank error (I can’t recall specifically what it was) to the 401. When I reached back to them that it’s still not getting through they said the error is coming from the plugin itself, so I should reach out to you. But I have suspicions.

    In theory do you think updating our firewall rules from /v1 to /v2 should be enough? I’ll reach out to our host next, but I thought I’d double-check with you first.

    Thanks!

    Plugin Author Hector Cabrera

    (@hcabrera)

    The plugin has some endpoints still using the V1 identifier since they really didn’t change. V2 ones are either new or existing ones that changed for some reason so you’d need to whitelist all of them ??

    Also, technically it’s WordPress itself that’s throwing these 401 errors. The plugin itself doesn’t throw any 401s (that I remember, pretty sure I’m right but will have a look at the source code to confirm once I get back home.)

    Thread Starter spinksys

    (@spinksys)

    Just found this: https://github.com/cabrerahector/wordpress-popular-posts/wiki/8.-REST-API-Endpoints#v2viewspost_id-post

    “Note that to send a POST request to this endpoint you must provide a valid nonce called '_wpnonce' either via the _wpnonce parameter or the X-WP-Nonce request header, otherwise the REST API will return an HTTP 401 Forbidden response.”

    I’m probably not doing that, so that’s probably the problem.

    Edit: Yes, that appears to be the problem. Now to figure out why.

    View post on imgur.com
    • This reply was modified 7 months ago by spinksys.
    Plugin Author Hector Cabrera

    (@hcabrera)

    Yep, that’s why I mentioned the page caching thing

    Usually what happens is that users set up their page cache’s time-to-live too high which is a problem because WordPress nonces, by default, only last around 24 hours or so. Then when a page loads it may send an expired nonce and naturally WordPress responds with a 401 Forbidden error.

    I’m not too sure that’s what’s happening on your site though since it only happens to visitors (but maybe logged in users don’t see cached pages?) so you’ll have to poke around a bit more to find out what’s happening.

    Edit: It’s super odd that the WP-Nonce header is missing for visitor requests. First time I’ve seen something like that, I wonder what’s causing it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘401 Unauthorized on api calls’ is closed to new replies.