Log in user using Wordpress REST API

I am having problems authenticating a user after logging in using a custom endpoint using the WordPress REST API.

I'm aware that this is not the perfect approach but I am just trying to make a few custom routes so that I can prototype a mobile app. I have searched countless forums and I have looked at a number of other answers but I can't seem to find out what the problem is in my code.

Code to create a User account

add_action( 'rest_api_init', 'my_test_register_user_routes' );
function my_test_register_user_routes() {
    
    register_rest_route( APP_NAMESPACE, '/user', [
        'methods'  = WP_REST_Server::CREATABLE,
        'callback' = 'my_test_create_user',
    ] );
}

function my_test_create_user($request) 
{   
    //create user and get ID
    $new_user = [];
    $new_user['username'] = $request['username'];
    $new_user['email'] = $request['email'];
    $new_user['password'] = $request['password'];

    $user = wp_insert_user( [
        'user_login' = $new_user['username'],
        'user_email' = $new_user['email'],
        'user_pass' = $new_user['password']
    ] );

    if( is_wp_error( $user ) ) {
        return rest_ensure_response( [
            'error' = 1,
            'msg' = $user-get_error_message()
        ] );
    }
        
    return rest_ensure_response( ['User' = 'User created'] );
}

Code to log in a user

/* 
    ========================AUTHENTICATION ROUTES========================
*/
add_action( 'rest_api_init', 'my_test_register_authentication_routes' );
function my_test_register_authentication_routes() {
    
    register_rest_route( APP_NAMESPACE, '/login', [
        'methods'  = WP_REST_Server::CREATABLE,
        'callback' = 'my_test_login_user',
    ] );
}

function my_test_login_user($request) 
{   
    $creds = [];
    $creds['user_login'] = $request[user];
    $creds['user_password'] =  $request[password];
    $creds['remember'] = true;
    $user = wp_signon( $creds, false ); 
    
    if ( is_wp_error($user) )
        return rest_ensure_response( [
            'login' = 0,
            'msg'   = $user-get_error_message()
        ] );
    

    wp_set_current_user($user-ID);
    wp_set_auth_cookie($user-ID,true);
    $nonce = wp_create_nonce('wp_rest');

    if (is_user_logged_in()) {
        $current_user = 'Y';
    } else {
        $current_user = 'N';
    }
    
    return rest_ensure_response( [
        'login' = 1,
        'id' = $user-ID,
        'nonce' = $nonce,
        'is_user_logged_in' = $current_user,
        'msg'   = 'You have successfully logged in'
    ] );
}

Now all this looks fine, the user is successfully logged in and expected the data is returned.

The code to check if the user is logged in below

add_action( 'rest_api_init', 'check_status_route' );
function check_status_route($request)
{
    register_rest_route( APP_NAMESPACE, '/status', [
        'methods'  = WP_REST_Server::READABLE,
        'callback' = 'check_status',
    ] );
}

function check_status($request)
{
    if (is_user_logged_in()) {
        $status = Logged In;
    } else {
        $status = Logged Out;
    }
    
    return rest_ensure_response( ['status' = $status] );
}

The check_status() function returns the following

{
    code: rest_cookie_invalid_nonce,
    message: Cookie nonce is invalid,
    data: {
        status: 403
    }
}

I have tried using the nonce as both a header and in the URL. What am I missing/doing wrong?

Topic nonce authentication rest-api cookies Wordpress

Category Web

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.