Login a WP user via REST API

@dreamon11

Looking at the code for the wp_signon function it expects data to be past via $_POST.

I think by used the WP_REST_Server::READABLE method in you REST_API you are expecting a $_GET variable, you might want to try WP_REST_Server::EDITABLE nd see if that converts the data submission to $_POST.

@mattyrob

The wp_signon() reads only $_POST if there is no $credentials.

if ( empty( $credentials ) ) {
		$credentials = array(); // Back-compat for plugins passing an empty string.

		if ( ! empty( $_POST['log'] ) ) {
			$credentials['user_login'] = wp_unslash( $_POST['log'] );
		}
		if ( ! empty( $_POST['pwd'] ) ) {
			$credentials['user_password'] = $_POST['pwd'];
		}
		if ( ! empty( $_POST['rememberme'] ) ) {
			$credentials['remember'] = $_POST['rememberme'];
		}
	}

The problem is not here because the code works outside REST API.

@dreamon11

Quite right, I just glimpsed at the function further down.

I have this working locally and I think the issue is in passing and collecting the user_login and user_password. The fields need to be specified in your endpoint I think:

'/login/(?P<login>[a-zA-Z0-9-]+)/password/((?P<password>[a-zA-Z0-9-]+))',

And you then to to handle the data in your callback, the 2 fields above would be in $request['login'] and $request['password'].

So my full code is now this:

add_action('rest_api_init',
	function () {
		register_rest_route(
			'xxx/v1',
			'/login/(?P<login>[a-zA-Z0-9-]+)/password/((?P<password>[a-zA-Z0-9-]+))',
			//'login/',
			[
				'methods'   => WP_REST_Server::READABLE,
				'callback'  => function ( WP_REST_Request $request ) {
					// I try this:
					wp_set_current_user(1);
					wp_set_auth_cookie(1);

					// and this:
					$user = wp_signon(
						[
							'user_login' => $request['login'],
							'user_password' => $request['password'],
							'remember' => true,
						],
						false
					);
					wp_send_json( $user );
				}
			]
		);
	}
);

@mattyrob

It works when I send the REST request from my browser with RESTClient extension for example.

But it doesn’t work when I send this REST request from subdomain.site.com.

The WP User is well returned, but cookies are not defined :/

@dreamon11

Are you able to log the JSON response on the subdomain and see what response you are getting?

@mattyrob

Yes, I have all WP User info: ID, login…

@dreamon11

I wonder if it’s because the cookie needs to be set on the client machine but via a REST call it’s trying to get set on the subdomain server.

So, I need to define WP cookies from subdomain.site.com.

Thanks for help!

Hi @dreamon11 , i’m wondering how did you end up setting the auth cookies exactly? I am having the same issue although I am using the rest api inside the wordpress theme on the same domain.. a react wordpress theme. my endpoint looks very similar to what you posted. Thanks!

Hello @rozv,

I do the following:

1. Send GET request from subdomain.site.com (another site) to site.com (WP)
2. In WP, use this same code as my first post. With this code, WP returns COOKIES in the response
3. In the another site, I retrieve COOKIES values from response and set cookies with PHP setcookie to login the user.

Cookies return by WP:
wordpress_xxxx
wordpress_sec_xxxx
wordpress_logged_in_xxxx