|
Shaun Anderson
|
January 7, 2018 at 1:53 am
Hello,
I’m trying to follow the instructions here: https://github.com/eventespresso/event-espresso-core/blob/master/docs/T–Tutorials/using-oauth-client-with-wp-api-oauth.md
I can follow up to step 8, but at this point, when I try to authenticate, I get the following error:
Received HTTP status code [401] with message ” OAuth signature does not match” when getting temporary credentials.
I’m confused by the statement: This step won’t work if you have Basic Auth or the current version of Event Espresso 4 active.
I don’t have the Basic Auth plugin installed, but I do have the latest version of EE4 installed. How do I remove the components that are clashing with oAUTH to enable it to work?
Thanks
Shaun
|
|
Shaun Anderson
|
January 7, 2018 at 8:29 pm
Other questions: is the oAuth authentication mainly meant for other wordpress sites external to the one with Event Espresso installed? Are there still security issues with using basic authentication on the same wordpress installation as the API you wish to connect to?
|
|
Michael Nelson
|
January 8, 2018 at 1:42 pm
Hi Shaun, I’m a bit happy someone has read that tutorial!
I wrote that just to document how I got it working while playing around with that oAuth plugin. Currently, like you pointed out, EE4 conflicts with it and it hasn’t been identified as a priority to resolve that conflict.
> How do I remove the components that are clashing with oAUTH to enable it to work?
You can try hacking the EE4 code to disable our version of Basic Auth and see if that fixes the issue. The code to change is in /core/EE_System.core.php, in the method load_espresso_addons(). Comment out the line include_once EE_THIRD_PARTY . 'wp-api-basic-auth' . DS . 'basic-auth.php';
If that fixes the issue for you, we should probably add a filter to make that easier.
> is the oAuth authentication mainly meant for other wordpress sites external to the one with Event Espresso installed?
Yes, it’s primarily meant for allowing an app or external website to access a different site on a user’s behalf. PHP code on your site shouldn’t bother using oAuth (or the REST API, for that matter) in order to access its own data (that’s a bit like mailing a letter to yourself). Javascript code should use cookie authentication.
> Are there still security issues with using basic authentication on the same wordpress installation as the API you wish to connect to?
If you really want to use the REST API to access information on your same server (I don’t know why you would, like stated previously), I think there are the same security issues. Specifically, if you’re using Basic Auth to send a REST API request over HTTP (not HTTPS), your username and password are attached to the request being sent, and router/server who handles the request can read them (and possibly log them). If you know the HTTP request won’t touch another server, and you know the request won’t get logged, then I suppose that concern is mitigated… I guess… still, use HTTPS with Basic Auth.
But really all this oAuth and Basic Auth stuff is mostly outside Event Espresso anyway. If you have more questions about using the oAUth plugin try their GitHub issue tracker. If you have questions about Basic Auth, you can its original GitHub repo or our fork of it.
|
|
Michael Nelson
|
January 8, 2018 at 1:54 pm
@joshfeck mentioned to me you could disable our Basic Auth functionality with the following:
function disable_ee_basic_auth() {
remove_filter('determine_current_user', 'json_basic_auth_handler', 20);
}
add_action('plugins_loaded','disable_ee_basic_auth', 2);
It may just be a bit tricky making sure you remove the filter at the correct time- after it’s added during ‘plugins_loaded’ priority 1, but before it’s used (I forget exactly where it gets used). If that works for you great; otherwise try hacking EE core like I suggested and then we can look into making that easier to do in a future update.
-
This reply was modified 6 years, 3 months ago by
 Michael Nelson. Reason: looked ugly
|
