wp-json not giving invalid_application_credentials | WordPress.org

oBusk
(@bulldozzer)

5 years, 4 months ago
So in a setup using both this and https://wordpress.org/plugins/application-passwords/
I’m expecting the filter explained in the documentation of application-passwords (https://github.com/WordPress/application-passwords/blob/0.1.2/readme.txt#L35-L50) to be required to be able to use application-passwords when making requests to /wp-json/. However, the requests are still working and I’m worried that two-factor is not enforced on all requests. The user I’m using has two-factor via email setup, and thus the API should be disabled as far as I can understand. I’m using curl --user "my.user:my app password" https://example.com/wp-json/wp/v2/users/me to test the app passwords.

I added logging to the filter_authenticate method in an attempt to figure out what was happening. The logging is happening when logging in via wp-login but not when making wp-json requests.
- This topic was modified 5 years, 4 months ago by oBusk.
- This topic was modified 5 years, 4 months ago by oBusk. Reason: bad quote

The topic ‘wp-json not giving invalid_application_credentials’ is closed to new replies.

Tags

0 replies
1 participant
Last reply from: oBusk
Last activity: 5 years, 4 months ago
Status: not resolved