Keep getting 401 error from WordPress on AWS Lightsail

by

I’m trying to post to a WordPress server on an AWS Lightsail instance using node-wpapi.
However, the server returns a 401 error.

I already have a .htaccess file with RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] to my .htaccess file and I already use ‘application passwords’ plugin.

How can I use node-wpapi to access the server?

My node-wpapi setting is here.

const wp = new WPAPI({
    endpoint: 'http://localhost/wp-json',
    username: 'user', //This is a default admin user.
    password: '*************************', //This is a password for application passwords plugin 
    auth: true,
});

My .htaccess file is here.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

The error message is here.

 code: 'rest_cannot_create',
  message: 'Sorry, you are not allowed to create new posts.',
  data: { status: 401 }

My user profile page keeps displaying the following message.

> Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I’ve found a solution.

The WordPress made from AWS Lightsail instance image is bitnami WordPress.
And the bitnami WordPress is disabled Basic Authentication as default. So it needs some modification on /opt/bitnami/apps/WordPress/conf/httpd-app.conf to enable Basic Authentication. This modification is adding 3 lines below.

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

The httpd-app.conf ended up below.

RewriteEngine On
RewriteRule /<none> / [L,R]

<IfDefine USE_PHP_FPM>
    <Proxy "unix:/opt/bitnami/php/var/run/wordpress.sock|fcgi://wordpress-fpm" timeout=300>
    </Proxy>
</IfDefine>

<Directory "/opt/bitnami/apps/wordpress/htdocs">
    Options +MultiViews +FollowSymLinks
    AllowOverride None
    <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.3>
        Require all granted
    </IfVersion>
    
    

    <IfDefine USE_PHP_FPM>
       <FilesMatch .php$>
         SetHandler "proxy:fcgi://wordpress-fpm"
       </FilesMatch>
    </IfDefine>

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
    
    RewriteEngine On
    #RewriteBase /wordpress/
    RewriteRule ^index.php$ - [S=1]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]

    Include "/opt/bitnami/apps/wordpress/conf/banner.conf"
</Directory>

Include "/opt/bitnami/apps/wordpress/conf/htaccess.conf"

Then restart apache or the instance itself.
Then I installed the Application Passwords plugin and I use it as a normal procedure.
The following message of the plugin displayed on the profile page has gone.

 Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.

The HTTP_AUTHORIZATION environment variable in the .htaccess file doesn’t need to be replaced REMOTE_USER.
Just in case, I show my .htaccess file below.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This solution is from this page.
The difference of solution between this solution page and my solution above is I use the Application Passwords plugin but they use the JSON Basic authentication plugin.

Method 2

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

Unless you have specific requirements, you would ordinarily set the HTTP_AUTHORIZATION environment variable here, not REMOTE_USER, in order to essentially pass the Authorization HTTP request header as-is through to PHP/WordPress. (Which would seem to be what the error is suggesting?)

UPDATE: Also try setting CGIPassAuth On at the top of the .htaccess file. See my answer on the following related question on StackOverflow.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x