I am new to wp-api.
I did install it and I am able to make some GET requests to retrieve content from my blog.
My question is very naive : can anyone send some DELETE/UPDATE rest requests to modify/delete my posts or must usre be authentificated first to do that ?
In other terms, can I use the wp-api as it is without any security considerations ?
If you are referring to WordPress REST Api version 2.7 above, you can't call PUT, PATCH, DELETE without being authenticated.
Here's more detail about the Authentication https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/
You may also try to use POSTMAN to issue a PUT call to your API end point. You will be getting the like the one pasted below if you did not login.
{
"code": "rest_cannot_edit",
"message": "Sorry, you are not allowed to edit this post.",
"data": {
"status": 401
}
}
Related
I have a problem with requsting rest API endpoint via postman,
the request is:
http://localhost/word-test/wordpress/wp-json/metaslider/v1/slideshow/all
and response is:
{
"code": "rest_forbidden",
"message": "Sorry, you are not allowed to do that.",
"data": {
"status": 401
}
}
IF I requested:
http://localhost/word-test/wordpress/wp-json/wp/v2/posts/
Then everything works properly.
The problem was found after I installed https://wordpress.org/plugins/disable-json-api/ ... Things I've tried:
enable or disable metaslider links "wp-json/metaslider/v1/slideshow/all" in "Disable Rest API" plugin for authenticated and unauthenticated users.
Delete or deactive The whole plugin
Any clue, please?
Note: I am using localhost links here to explain my problem but I have the same issue in a real site
#linkedIn
My client wants me to fetch all the feeds from his LinkedIn organization. I tried using their marketing developer platform and got the permissions. But when I tried to fetch the feeds using urn id and I got responses like
Request: https://api.linkedin.com/v2/ugcPosts/urn%3Ali%3AugcPost%3A1234
Response :
{
"message": "com.linkedin.content.common.ResponseException: ",
"status": 404
}
I am a little bit confused about this response. Can someone help me in sorting this out?
I think your {URN} is incorrect. the correct format is urn:li:organization:{id}
I have an application with restricted access to the whole site, except for login and password recovery.
I'm trying to add to the login view open graph meta tags with data based on the referer address. To do that, I use the \Symfony\Component\Security\Http\Util\TargetPathTrait in the login action like this:
<?php
$referer = $this->getTargetPath($request->getSession(), 'main');
Locally, I use Open Graph Preview chrome add-on, and it works perfectly. As an anonymous user, I try to acces to a page, and then redirected to the login page. Here $referer is not null and I can retieve data I need to generate meta tags.
Now on test environment on my production server, with open graph chrome add-on, it still working. Share a link through Telegram, the preview is displayed as expected. But when I share the same link through Facebook messenger, I don't get what I want.
Edit: doesn't work with Discord and WhatsApp either.
I've made some test with the Facebook debugger, it appears that $referer is null and I don't understand why. It looks like Symfony access control have a particular behavior when a Facebook service try to see a page, as no session data seems to be manage by the symfony security components.
The login feature of the application is quite simple as it follows the basics step described in the Symfony documentation.
Is anyone has a clue on what can I do to fix that? Meanwhile, I'm trying to find a workaround with Symfony events.
EDIT 1: I reproduced the issue localy, with a cURL request. In that case it appears no session is handled. \Symfony\Component\Security\Http\Util\TargetPathTrait::getTargetPath method is useless as Symfony store the target path in session.
So now, when an anonymous user try to request a restricted URL, I add the referer as a GET parameter to the redirect login URL.
Cool thing, now the preview works perfectly on Discord, WhatsApp and still works on Telgram.
Sadly, it still doesn't work on Facebook's app (Messenger and Facebook posts).
So, I took a look on the facebook debugger tool. And here come the strange thing, the redirect url request by FB service is different than the one my application normally give.
Expected URL : https://domain.ext/login?referer=https://domain.ext/referer/path
URL requested by FB : https://domain.ext/login?randomCoherentParamName=intValue
The odd thing is that 'randomCoherentParamName' correspond to a route parameter from the referer URL.
Here how I generate the redirect URL:
<?php
// From a class that extends
// Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator
/**
* Override to control what happens when the user hits a secure page
* but isn't logged in yet.
*
* #return RedirectResponse
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->urlGenerator->generate('loginRoute', ['referer' => $request->getUri()]);
return new RedirectResponse($url);
}
If anyone has a clue of what's going on, I will appreciate any advice :).
EDIT 2: It seems FB service use a canonical URL to access the login page when redirected. Problem is I never set the canonical address meta tag in any page on my website. So, I'm wondering how is it possible...
Anyway, I think I've got a solution to bypass this problem, I'll share if it works, but I really want to understand how FB service works and identify how it is able to get a canonical URL I've never set... Apach fault? Symfony fault? My Fault? Or is it related to the Facebook crawler ?
Any comment will be appreciate :)
Problem solved !
The Facebook issue was totally my fault, actually, and a bit because of FB service. Let me explain.
When FB service request a shared URL, it parses the response to find open graph meta tags. During response parsing, if the service detect an url open graph meta tag, it request that url and use the parsed data from that response to generate the preview. This behavior seems to be specific to Facebook, as I didn't have any issue with Discord, WhatsApp and Telegram (and Telegram handle session when it retrieve data from an URL).
Now, what did I do wrong ? Actually, my login page has an url open graph meta tag, and, well... I didn't generate the good URL as its value...
Thanks for your attention :)
Time to go to SE, since this has cost me more then 4 hours now.
I'm trying to setup a webhook (https://app.example.com/notications) for Push Notifications coming from Google Drive API.
After having set-up everything I'm getting error:
...
errors": [
{
"domain": "global",
"reason": "push.webhookUrlUnauthorized",
"message": "Unauthorized WebHook callback channel: https://app.example.com"
}
],
...
There are a couple of results on google (most of which are here on SE) that talk about this issue. None of the solutions presented seem to work for me. Needless to say, I would be pretty much tearing my hair out if I had some.
This I what I've tried:
As explained here there are some requirements:
Step 1: Verify that you own the domain. (Complete the site verification process using Webmaster Tools)
Registered app.example.com, through Webmaster Tools. Separately also verified example.com although this should not matter. Check!
Step 2: Register your domain:
Go to the Google Developers Console.
Choose or create a project.
In the sidebar on the left, click APIs & auth, then click Push.
Click Add domains.
Fill in the form, then again click Add domains.
Done for app.example.com. Check!
Note that the Drive API will be able to send notifications to this HTTPS address only if there is a valid SSL certificate installed on your web server. Invalid certificates include:
Self-signed certificates.
Certificates signed by an untrusted source.
Certificates that have been revoked.
Certificates that have a subject that doesn't match the target hostname.
What I've done:
I've setup app.example.com with an SSL certificate.
Moreover the endpoint is reachable and everything checks out.
SSL checker has verified that everything is okay (5 ticks). Even the SSL-chain is setup correctly. Check!
constructing a POST query
to the simple https://www.googleapis.com/drive/v2/changes/watch endpoint
containing a Authorization: Bearer x header
containing a Content-Type:application/json header
Post contains a body as follows
{
"id": "someIdThatDoesntMatter",
"type":"web_hook",
"address": "https://app.example.com/notifications"
}
Check!
I'm running all this through Postman (a Chrome extensions to test http requests) so there's no app at my side that can be interfering.
What on earth could be the problem?
It was very weird but somehow it works.
When adding domain use complete URL with https://app.example.com/notifications
try the complete URL with a trailing slash when making calendar API call
{
"id": "someIdThatDoesntMatter",
"type":"web_hook",
"address": "https://app.example.com/notifications/"
}
Step 4's POST body address: "https://app.captured.io/notifications" should be "https://app.example.com/notications". Or the other way around. Either way, they should all match so we can understand whether that's merely a typo in your post or truly the answer to your question. :)
Oh; and in "https://app.example.com/notications", "notications" is misspelled. It should be: "https://app.example.com/notifications". ... Or the other way around if that's your thing :)
It's also worth noting, per their documentation:
A watch request will not be successful unless the current user or service account owns or has permission to access this resource.
I keep getting the following error when I try to test one of my pages with Graph API Explorer:
{
"error": {
"message": "(#3502) Object at URL https://example.com/place/123456-Something has og:type of 'website'. The property 'bar' requires an object of og:type 'example:bar'. (http response code: 401)",
"type": "OAuthException",
"code": 3502
}
}
The problem is that this page is behind HTTP Basic Authentication and it returns 401 Unauthorized even if I pass proper credentials to authenticate for this page. I can't believe it but this seems to me that Graph API Explorer does not support HTTP Basic Authentication. Does anyone had this issue before and know how to force Graph API Explorer to be able to authenticate?
If the scraper (https://developers.facebook.com/tools/debug) cannot reach your page then it's not possible.
Open Graph pages must be public and reachable.
Using self-hosted objects requires that you host them as pages on your own webserver and all self-hosted objects are public.
https://developers.facebook.com/docs/opengraph/using-objects/
You can either punch a hole in basic auth via user agent (not secure, since that is trival to spoof) or Facebook's published list of crawler IP addresses.
I've written a quick PHP script here to generate an htaccess that includes simple auth and those IPs. FB says they shift the crawler IPs, so you'd want to do cron that script to regenerate the htaccess every so often.