WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
Update Jan 11, 2018
WPEngine Customers: You must set the Allow Origin settings in your .htaccess file. See https://wpengine.com/support/platform-settings/ for more information.
It has come to my attention that there is a growing usage of frameworks that are running into issues with with CORS (Cross-origin HTTP Requests). The issue begins with OAuth2 not really supporting CORS due to click hijacking made possible by front-end JS frameworks. With the newer technology using JS on server side, the issue arises that these calls are failing to authenticate due to how the CORS requests are being made.
CORS works like the following. The client makes a POST request to the server but before it does, it sends a “preflight request”. This preflight request is an OPTIONS request that basically asks the server (physical server, not OAuth Server)a couple things.
Ideally, the server will return that it is able to make the calls, and the client would then preform the actual POST request.
WP OAuth Server follows the OAuth2 draft and does not support listening for the OPTION request. This is where the issue comes into play. To get around this, you can extend WP OAuth Server by creating an action for “wo_before_api”.
You can paste the snippet below into your themes function file and your server will now return the proper response.
function wo_cors_check_and_response(){
if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET');
header('Access-Control-Allow-Headers: Authorization');
header('Access-Control-Max-Age: 1'); //1728000
header("Content-Length: 0");
header("Content-Type: text/plain charset=UTF-8");
exit(0);
}
}
add_action('wo_before_api', 'wo_cors_check_and_response');
