user not logged in

Viewing 15 replies - 16 through 30 (of 36 total)
  • Plugin Author Frank

    (@frankspress)

    I think I found the issue.
    Your site is not using pretty permalinks.
    If you go to Settings -> Permalinks you will notice your site is using plain, if you pick another one and save the issue should be solved.
    Otherwise you can wait till I post an update with the fix.

    Thank you,
    Frank

    Thread Starter Eduardo

    (@eduardoluism)

    Hi Frank,

    I’m already using Permalinks (custom) “/produtos/%product_cat%/”.

    Thank you

    Thread Starter Eduardo

    (@eduardoluism)

    Hello Friend,

    I really like your plugin, can you help find the issue?

    Thank you,

    B regards,
    Eduardo

    Plugin Author Frank

    (@frankspress)

    Hi, I just released an update,
    let me know if that fixed your issue.
    Frank

    Thread Starter Eduardo

    (@eduardoluism)

    Hi Frank,

    Same error =(

    How can I send you a pvt message with the website link?

    thank you.
    Eduardo

    Plugin Author Frank

    (@frankspress)

    Yes sure, you can use my Website, or send an email to [email protected]

    Thread Starter Eduardo

    (@eduardoluism)

    Hello,

    Updated your plugin, wordpress, theme etc.. the issue remains =(

    Plugin Author Frank

    (@frankspress)

    Ok I got your email, the issue is the 403 caused, “bad nonce”..
    WP nonce is a value that gets regenerated every 24 hours I believe. Something ( a plugin or maybe CDN, Cloudflare ?? ) is caching the old nonce. This is a problem because when WP compares the two values the request gets rejected.
    Do you have any caching system in place?

    Thread Starter Eduardo

    (@eduardoluism)

    Hello,

    I tried disabling CloudFlare (dev mode on) and W3 total cache. Same error. =(

    Plugin Author Frank

    (@frankspress)

    Hi,
    I checked your product page again and the nonce has been regenerated but it still returns an invalid nonce code.
    Do you have any security plugin activated, other caching plugins that you think may be the issue? I would suggest going through your activated plugins and check that because I believe it might be the root of the problem.

    Thread Starter Eduardo

    (@eduardoluism)

    Hello,

    That makes sense?
    https://wordpress.stackexchange.com/questions/341496/wordpress-rest-api-expired-nonce-from-cache-results-in-403-forbidden

    Thread Starter Eduardo

    (@eduardoluism)

    that did the trick.

    $send_no_cache_headers = apply_filters(‘rest_send_nocache_headers’, is_user_logged_in());
    if (!$send_no_cache_headers && !is_admin() && $_SERVER[‘REQUEST_METHOD’] == ‘POST’) {
    $nonce = wp_create_nonce(‘wp_rest’);
    $_SERVER[‘HTTP_X_WP_NONCE’] = $nonce;
    }

    Any security problem using it?

    Plugin Author Frank

    (@frankspress)

    Yes!
    Registered users and other types of users that are logged in will be subject to CSRF and other attacks. The hack is basically overriding the nonce in the superglobal $_SERVER.
    You can at least replace !is_admin() with !is_user_logged_in(), but again, you might want to find the plugin that is doing the caching.

    Thread Starter Eduardo

    (@eduardoluism)

    Hi Frank!

    Ok. Understood!

    I tried disabling all Plugins, didn’t work, same error =(

    Plugin Author Frank

    (@frankspress)

    You can limit the code above to this specific plugin, and if you can’t find a solution to the caching issue you could use this code. 

    if ( defined('REST_REQUEST') && strpos( $_SERVER['REQUEST_URI'], 'in-stock-mailer/v1' ) ) {
  $send_no_cache_headers = apply_filters('rest_send_nocache_headers', is_user_logged_in());
  if (!$send_no_cache_headers && !is_user_logged_in() ) {
            $_SERVER['HTTP_X_WP_NONCE'] = wp_create_nonce('wp_rest');
  }
}

    I haven’t tested the code above, but it should work.
    Let me know.

Viewing 15 replies - 16 through 30 (of 36 total)
  • The topic ‘user not logged in’ is closed to new replies.