Problem with REST API calls using PUT/POST methods

  • First, thank you for the work you’ve put into this plugin; you’ve done a fantastic job.

    I am having an issue with the Create License and Update License REST API calls; the API returns status 200, but in both cases no actual data is saved.

    Additionally, a bug in the current implementation is causing the content body of the response for Create License POST requests to return an array of all licenses, as supposed to just the license created from that request. Typically an API response for a POST request would return only the newly-created object, and per your documentation, that is the intended behavior for this API also.

    Specifics of the problem, and the env follow:

    • The consumer key/secret are valid, with R/W permissions
    • The API key is assigned to a user with full admin permissions on this WordPress install
    • All API routes are enabled
    • Permalinks have been re-saved
    • Both API calls are being sent with the Accept and Content-Type headers set to application/json
    • Body content is raw json string, using the snake_case format for field names, eg: { “product_id”: 123 }
    • All of the other licenses API routes that take GET method are working fine (such as licenses/activate, with the activation count incrementing as it should); only the PUT and POST calls are having this issue
    • Both WordPress and WooCommerce are on the latest stable version
    • Using Postman for testing the API calls

    For the Update License request, it’s returning http status 200, with Success: true and the license data object in the content body, but without the updated values in my request, with the actual license in the database unchanged.

    For the Create License request, it’s also returning http status 200, but not actually saving the new license to the database. In addition, as mentioned earlier, the response is actually an array of all licenses (as if I had made a “List Licenses” request) – the new license the request was supposed to create, is not in that list, nor is it anywhere in the database with the other licenses.

    Last question; do you accept pull requests for bug fixes such as this? And where would that be done at? The GitHub repo appears to be out of date, but I’d gladly contribute if it helps.

    Thanks in advance,
    SK

    Edit: For reference, I’ve included two actual API requests that are failing:

    CREATE LICENSE:

    curl --location --request POST '[BaseAddressRedacted]/wp-json/lmfwc/v2/licenses' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic [CredentialsRedacted]' \
--data-raw '{
	"order_id": null,
	"product_id": 34050077,
	"user_id": null,
	"license_key": "ABC-123-XYZ",
	"expires_at": null,
	"valid_for": null,
	"status": 4,
	"times_activated": null,
	"times_activated_max": 1
}'

    UPDATE LICENSE:

    curl --location --request PUT '[BaseAddressRedacted]/wp-json/lmfwc/v2/licenses/J1M-3JN-IRW' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic [CredentialsRedacted]' \
--data-raw '{
	"times_activated_max": 999
}'
Viewing 10 replies - 1 through 10 (of 10 total)

  • @steliokontos Hi,

    Hope you are doing good.

    Let me look into it and discuss it with my team.

    Thanks

    @steliokontos Hi,

    Can you please provide me with a video of this issue?

    Which PHP and MySQL version you are using?

    Thanks

    • This reply was modified 2 years, 4 months ago by M Haseeb.
    Thread Starter Stelio Kontos

    (@steliokontos)

    Video demonstrating PUT/POST calls through Postman

    Env info:

    
### wp-core ###

version: 6.0.1
site_language: en_US
user_language: en_US
timezone: -05:00
permalink: /%year%/%monthnum%/%day%/%postname%/
https_status: true
multisite: false
user_registration: 0
blog_public: 1
default_comment_status: open
environment_type: production
user_count: 1296
dotorg_communication: true

### wp-server ###

server_architecture: Linux 2.6.32-954.3.5.lve1.4.87.el6.x86_64 x86_64
httpd_software: LiteSpeed
php_version: 7.4.30 64bit
php_sapi: litespeed
max_input_variables: 2000
time_limit: 600
memory_limit: 1024M
max_input_time: 1500
upload_max_filesize: 1024M
php_post_max_size: 1024M
curl_version: 7.71.0 OpenSSL/1.1.1p
suhosin: false
imagick_availability: false
pretty_permalinks: true
htaccess_extra_rules: true

### wp-database ###

extension: mysqli
server_version: 10.3.35-MariaDB-log-cll-lve
client_version: mysqlnd 7.4.30
max_allowed_packet: 1073741824
max_connections: 500
    Thread Starter Stelio Kontos

    (@steliokontos)

    Any update? Or can anyone else who may be reading this thread confirm if the PUT and POST API calls for licenses work for them? The fact that nobody else seems to have reported this issue makes me wonder if it could be an issue on my end, perhaps with the server ignoring those types of REST method calls. My experience with WP’s REST API is limited, however, and honestly not sure where to go from here.

    @steliokontos

    You are creating a license without entering “Status” Json data and value, this field is required when creating a license through API.

    Update license is working properly in our environment.
    See the working video below:
    https://we.tl/t-c8VgPHautg

    For more details read our detailed docs here.

    Thanks

    Thread Starter Stelio Kontos

    (@steliokontos)

    I will test again this morning and let you know as soon as I am at my PC. I have reviewed the docs extensively, and there is no mention of that field being required, nor am I getting an error response when that field is omitted. If it is indeed required, the docs should mention that fact, and I would expect the API to reject that request with the appropriate http status.

    This also does not explain why the Update license request fails for me also.

    Is there any server configuration that I may be missing that would cause PUT and POST method calls to be silently ignored, that may be interfering with the request?

    Thread Starter Stelio Kontos

    (@steliokontos)

    Just tested with the same json fields you have in your video, and no change in behavior for me. See gif:

    View post on imgur.com

    I’m on the latest (released) version, v 2.2.7: https://i.imgur.com/1kKL5rt.png

    Are there any known conflicts with other plugins that may be contributing? Perhaps a cache plugin etc.

    Thread Starter Stelio Kontos

    (@steliokontos)

    While changing the active environment in Postman to test on a bare WP install on my local dev env, it occurred to me that I was not specifically including https:// in the base url portion of the requests. As soon as I added that to the url, both PUT and POST requests worked as expected (with the create License call no longer returning the entire array of licenses).

    While I’m relieved to have finally found the problem, it does appear that sending API calls without the https:// to a site with SSL installed could be exploited to dump all licenses, and I would suggest that your dev team look into this. Note that API routes were disabled for insecure http connections.

    Specifically disabling the v2/licenses route prevents this anomaly, returning a “lmfwc_rest_route_disabled_error” response when attempting to create a license using POST method.

    It appears that the POST method is being blocked due to the API request being made over an insecure connection, but since the “create” and “list licenses” requests both share the same request route, it returns the standard response as if the request method was GET – when in fact, it should abort the request completely with an appropriate http 4XX response code.

    Leaving this thread marked as unresolved for now pending a resolution on the above mentioned vulnerability.

    • This reply was modified 2 years, 3 months ago by Stelio Kontos.
    Thread Starter Stelio Kontos

    (@steliokontos)

    Untested, but modifying line 75 in /includes/api/Authentication.php to the following should force non-ssl requests to fall through to the else condition if ssl is required:

    
if (is_ssl() || (is_ssl() && Settings::get('lmfwc_disable_api_ssl'))) {
    $userId = $this->performBasicAuthentication();
}

    @steliokontos

    I will check it and discuss it with my team soon, if there will be any issues I will update this in our plugin next release.

    Thanks

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Problem with REST API calls using PUT/POST methods’ is closed to new replies.