How does REST API cookie authentication work in WP 4.7?

It looks like you’re missing the nonce part, as explained in the Authentication chapter, in the REST API Handbook:

Cookie authentication is the basic authentication method included with
WordPress. When you log in to your dashboard, this sets up the cookies
correctly for you, so plugin and theme developers need only to have a
logged-in user.

However, the REST API includes a technique called nonces to avoid CSRF
issues. This prevents other sites from forcing you to perform actions
without explicitly intending to do so. This requires slightly special
handling for the API.

For developers using the built-in Javascript API, this is handled
automatically for you. This is the recommended way to use the API for
plugins and themes. Custom data models can extend wp.api.models.Base
to ensure this is sent correctly for any custom requests.

For developers making manual Ajax requests, the nonce will need to be
passed with each request. The API uses nonces with the action set to
wp_rest. These can then be passed to the API via the _wpnonce data
parameter (either POST data or in the query for GET requests), or via
the X-WP-Nonce header.

Based on the Backbone JavaScript Client chapter, we can use the core wp-api REST API Backbone client library.

Here’s your modified snippet in a /js/test.js script file in the current theme directory:

wp.api.loadPromise.done( function() {

  // Create a new post
  var post = new wp.api.models.Post(
      {
        title: 'Posted via REST API',
        content: 'Lorem Ipsum ... ',
        status: 'draft',  // 'draft' is default, 'publish' to publish it
    }
  );

  var xhr = post.save( null, {
     success: function(model, response, options) {
       console.log(response);
     },
     error: function(model, response, options) {
       console.log(response);
     }
   });

});

where we enqueue the wp-api client library and our test script with:

add_action( 'wp_enqueue_scripts', function()
{
    wp_enqueue_script( 'wp-api' );
    wp_enqueue_script( 'test_script', get_theme_file_uri( '/js/test.js' ), [ 'wp-api' ] );

} );

within functions.php file in the current theme.

Note that this test script just creates a new post draft, during each page load on the front-end, for a logged in user with the capability to create new posts.

Related Posts:

  1. Setting cookies in WP REST API requests
  2. PHP – setcookie(); not working
  3. How to share cookies and sessions between domain and subdomain?
  4. Using Backbone with the WordPress AJAX API
  5. Why does it say: ‘Cookies are blocked or not supported’?
  6. How to detect a user that is not logged in
  7. How to change cookie name
  8. Using wp_set_auth_cookie for custom user account system
  9. WP_Http_Cookie destroys cookie value through urldecode()
  10. Using the REST API (v2) javascript client on a private namespaced route
  11. Get restrict content by submitting Gravity Forms
  12. Website Loads Twice Unnecessarily
  13. Do I use cookies?
  14. How to transition cookies from .subdomain.domain.com to .domain.com with minimal impact on users?
  15. Hide/Show content based on cookie
  16. ERROR: Cookies are blocked or not supported by your browser
  17. What is cookie “U” from domain “.adsymptotic.com” found on the WordPress page? [closed]
  18. Rest API authentication issue when called from fetch request in bundle.js
  19. Serving Cookies From A Different Domain or Sub-Domain
  20. How to fix samesite attribute in wordpress for chrome errors?
  21. Secure wordpress_logged_in cookie
  22. Add custom post type to Backbone collections
  23. Show greetings on first time visitors?
  24. Unset a Cookie on Successful Gravity Forms form Submission [closed]
  25. Why wordpress cookies name contains HASH
  26. Cookie only detected when visitor is logged in
  27. Change the user is logged in cookie name
  28. Disconnect automattically after X minutes
  29. background/font size change and remember
  30. WordPress cookies
  31. How to save generated JWT token to cookies on login?
  32. Use the backbone.js client to save custom post type meta
  33. Block google maps from loading until user agrees to cookies with Elementor
  34. Accessing user Meta data via REST and backbone
  35. Need help setting cookies with multiple value [closed]
  36. Setting/unsetting terms using the Backbone JavaScript client
  37. Enable WordPress to share cookies between domain.com and sub.domain.com
  38. Setting Cookies
  39. How I can share cookies from my dimain to subdomain?
  40. WordPress authentication cookie and ajax calls
  41. COOKIE_ID with username appended
  42. Setting Cookies For Form Autofill
  43. What are your thoughts on overriding the PHP builtin setcookie() function to control whether or not WP creates cookies
  44. How to make use of Transient API as cookie
  45. Accept or deny cookies – how to?
  46. How to set a Cookie-Free Domain with WordPress?
  47. Is it possible to use cookie-free domains in WordPress?
  48. Passing cookies when using wp_remote_get
  49. Detect if authentication is set to “remember” a user being logged on
  50. Store value in cookie
  51. Set Short Automatic Logout Time for One User
  52. How to change WordPress cookies to be session-only
  53. Backbone with custom rest endpoints
  54. wordpress can’t read a cookie?
  55. How to render WP Rest-API Endpoints in a React.js Theme with Woocommerce
  56. Do I need a Cookie consent on a basic WordPress site?
  57. Page specific cookie
  58. will creating a static folder in the root directory serve the purpose of loading the static content from cookieless domain?
  59. Set cookie with taxonomy name
  60. Best method to show modal only once
  61. Cookie with referral URL [closed]
  62. How to keep a variable in COOKIE or GET query string?
  63. Cookie Details Requested
  64. Cookies in template
  65. Cookie error. No possibility to define my cookie
  66. Log in user using WordPress REST API
  67. Favicon not loading until cookies are accepted?
  68. How to verify which WordPress user requested the API in ASP .NET Core?
  69. can you help review CCCP (Conditional Cookie Content Post) and help to create a block?
  70. Check if user can in javascript
  71. wp-api Backbone JS Client fetch options
  72. Setup cookie on Chrome even without HTTPS
  73. PHP cookie control does not work correctly
  74. How can I get an updated cookie in header.php?
  75. Setting a Custom Cookie in WordPress only for Logged In Customer/User (non-admin)
  76. URL issue retrieving Custom Post Types using Backbone JS API
  77. Access checks with custom REST endpoints and backbone
  78. Correct user session/cookie handling with external site connection in wordpress
  79. The same session information for peer users on two different WordPress servers
  80. Checking for cookies returns correct result only inside Elementor Editor
  81. How to save history in the client’s browser without login? [closed]
  82. Automatically Log Out UserX when visiting WooCommerceStore
  83. is_user_logged_in() returns different values on different pages
  84. http_referrer issue when detecting where site comes from and allow if from allowed host
  85. detect referr page
  86. Looking to load a different template part on every load/refresh
  87. Cookie is not set
  88. Capture and display users name
  89. Why isn’t my cookie setting in my function?
  90. WordPress wp-login.php cookie error (WordPress Version 4.2.9)
  91. WP-API + JS Backbone client – how to update post meta
  92. Logged In cookie gets saved but not Auth cookie
  93. set cookies or let system know a user has been on site
  94. setcookie not working when defined with ‘/’ but working if not defined
  95. How to use Cookie or Session php for one page and just a password
  96. How to get the id dynamically to store cookies
  97. WordPress keep logged in after browser close
  98. Can I use the Backbone REST API client outside WordPress?
  99. What filtering is available for backbone.js?
  100. How to limit what fields are returned through the WP API Backbone JS client

Leave a Comment