How can cookiesession authentication be used in wp-json fetch request?

I've written a /wp-json path like:

add_action( 'rest_api_init', function () {
  register_rest_route( 'myplugin', 'foo', array(
    'methods' => 'GET',
    'callback' => function( $data ) {
      // if (!is_user_logged_in()) {
      //   return array();
      // }
      return array('dummy_data');
    }
  ) );
} );

I can retreive the data using the es6-style fetch api like:

fetch('/wp-json/myplugin/foo', {credentials: 'include'})
  .then(res => res.json())
  .then(data => console.log(data))

This works dandy.

However, if I un-comment the if (!is_user_logged_in())... check, it never passes. I send the Cookie header in this request, but wordpress doesn't seem to do cookie/session-style authentication and is_user_logged_in() is never `true.

I know that there is the nonce mechanism, but this API will only ever be fetched from the wordpress site and I want to use the cookie/session mechanism.

How can I authenticate the user against their server session when the request is coming from the fetch or xhr API javascript mehanism?

I've written a /wp-json path like:

add_action( 'rest_api_init', function () {
  register_rest_route( 'myplugin', 'foo', array(
    'methods' => 'GET',
    'callback' => function( $data ) {
      // if (!is_user_logged_in()) {
      //   return array();
      // }
      return array('dummy_data');
    }
  ) );
} );

I can retreive the data using the es6-style fetch api like:

fetch('/wp-json/myplugin/foo', {credentials: 'include'})
  .then(res => res.json())
  .then(data => console.log(data))

This works dandy.

However, if I un-comment the if (!is_user_logged_in())... check, it never passes. I send the Cookie header in this request, but wordpress doesn't seem to do cookie/session-style authentication and is_user_logged_in() is never `true.

I know that there is the nonce mechanism, but this API will only ever be fetched from the wordpress site and I want to use the cookie/session mechanism.

How can I authenticate the user against their server session when the request is coming from the fetch or xhr API javascript mehanism?

• json
• authentication

Share Improve this question edited Jan 1, 2019 at 22:28 Ross Rogers asked Jan 1, 2019 at 22:27 Ross RogersRoss Rogers 11155 bronze badges 3

• 1 See the relevant section of the docs: developer.wordpress/rest-api/using-the-rest-api/… – Jacob Peattie Commented Jan 2, 2019 at 2:15
• @JacobPeattie That's why I mentioned nonces. Can you do it without nonces? – Ross Rogers Commented Jan 2, 2019 at 3:02
• The nonce tells the api to use cookies. Please read the docs. – Jacob Peattie Commented Jan 2, 2019 at 3:47

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

After reading more, thanks to Jacob's link and more googling, it turns out that wordpress "nonces" aren't actually nonces. Nonces are to be used once, but wordpress "nonces" are allowed to be used an unlimited number of times for 2 "ticks", which normally means between 12 and 24 hours. These wordpress "nonces" are actually tied to a session and hence give me exactly what I want, since I can reuse the wordpress "nonce" for a period of time.