as I wrote, I havnt changed any settings. And RESTful WordPress API is enabled.
http://gymdrama.dk/?rest_route=/
Still Jetpack says there is an error – an error that is resolved as soon as I disable AAM
@johannesdb,
I found the root cause. It is in the way Jetpack implements the check on if RESTful API is enabled:
/**
* Checks if REST API is enabled.
*
* @since 4.4.2
*
* @return bool
*/
function is_rest_api_enabled()
{
return
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_enabled', true) &&
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_jsonp_enabled', true) &&
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_authentication_errors', true);
}
I would argue that this is a correct way to check.
AAM disabled rest_authentication_errors hook to allow JWT authentication. My best guess that you are not using it, so you can disable “JWT Tokens” service on the AAM page under Settings Area.
Regards,
Vasyl
Cool! Thanks for the fix. I will try that at once 🙂
You are a boss Vasyl Martyniuk !!
frankly I was starting to despair !
Thank you 🙂
That worked perfectly. Wish AAM had mentioned in their documentation there would be a conflict.
Thanks.
I’m having this same problem. Luckily, I don’t need Jetpack as much as AAM, so I just disabled Jetpack to avoid mokeying around with settings and risk opening a can of worms. But in general, it just doesn’t feel good when plugins conflict each other.
Howdy! Jetpack developer here. I’m looking at AAM’s usage of the rest_authentication_errors with JWT tokens.
* Is the intent that, with this setting enabled in AAM, that only JWT tokens can be used to authenticate the REST API?
* Is this enabled by default with AAM? If so, any way to make it optional?
* I haven’t checked, but would this interfere with the block editor? It utilizes the REST API, but I’m not sure if WordPress whitelists itself. That doesn’t matter to Jetpack, but just curious.
For the rest_authentication_errors filter, the intention of the filter is to work with other authentication methods—ensure they are being used—before returning a result.
With AAM, my understanding is instead of returning false, it could hook into that filter and passthrough the value of the filter or return true/WP_Error if that method is being used and passes/fails per https://developer.wordpress.org/reference/hooks/rest_authentication_errors/
Thanks!
@kraftbj,
Great questions and the reasoning behind AAM hijacking the rest_authentication_errors hook is because of WordPress core rest_cookie_check_errors function.
If you look in its implementation, you might notice these lines of code:
// Determine if there is a nonce.
$nonce = null;
if ( isset( $_REQUEST['_wpnonce'] ) ) {
$nonce = $_REQUEST['_wpnonce'];
} elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) {
$nonce = $_SERVER['HTTP_X_WP_NONCE'];
}
if ( null === $nonce ) {
// No nonce at all, so act as if it's an unauthenticated request.
wp_set_current_user( 0 );
return true;
}
It basically forces any third-party plugin to send Nonce which might not possible if an authentication request is initiated from an application that is outside of WordPress website instance.
Can you please explain why it is important for Jetpack to include check for rest_authentication_errors in this code:
function is_rest_api_enabled()
{
return
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_enabled', true) &&
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_jsonp_enabled', true) &&
/** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */
apply_filters('rest_authentication_errors', true);
}
My best guess is that any RESTful API request to Jetpack has to be authenticated. Is that correct?
Thank you for quality conversation.
Vasyl
Can you please explain why it is important for Jetpack to include check for rest_authentication_errors in this code:
The intent there is our settings dashboard is a React app that is fully REST API driven and we were running into support situations where site owners had disabled/broken the REST API in some way or another, but not realizing it until attempting to manage Jetpack. We use the is_rest_api_enabled function in a couple of places to load a fallback (versus a broken app) and to display the message.
The hope is that the message can help site owners self-resolve (why is the REST API not enabled?).
The vast majority, if not all, of endpoints do require authentication
With your usage, is the intent that when enabled, only JWT can be used to authenticate to the REST API? I’m trying to think of the best way to support AAM’s usage of JWT and Jetpack’s REST API usage within wp-admin. Would it be possible to do something like:
add_filter( 'rest_authentication_errors', 'example', 101 );
function example( $result ) {
if ( true === $result && ! is_user_logged_in() ) {
{{insert whatever you need here, return false or doing your own auth error creation here}}
return $result;
}
In that case, you would check for a true response from the rest_cookie_check_errors and if so while still logged out, it would be the no-nonce example that core provided.
Now that I type all of that, Jetpack’s check could look for a WP_Error instead, which is likely more inline with what is expected there. It doesn’t look like the filter expects false to be a returned value.
Hope all is going well for you!
@kraftbj,
Your solution might actually work pretty well. Thinking more about this, I must admit that AAM was kinda “selfish” here and hijacked this filter pretty badly.
I’m going to rethink this implementation to be compatible with other plugins that might have a similar implementation that Jetpack has.
I’ve already opened an issue report in our repo and fix is coming soon https://github.com/aamplugin/advanced-access-manager/issues/25.
Thank you sir for quality conversation.
Regards,
Vasyl
