Some web hosts (depending on web server configuration) require additional configuration / modifications to handle authenticated WooCommerce API requests.

The most common issue we see is that authentication headers are dropped and requests therefore can't be authenticated. This means Robot Ninja can't do things like process refunds or create test customer accounts etc.

The technical reason for why this occurs is that the web server (apache etc.) does not pass the HTTP headers through to PHP in CGI Mode (a few reference github issues are available here and here). What happens is the http Authorization header that your web server (e.g. Apache) receives in the request doesn’t end up populating the PHP $_SERVER['HTTP_AUTHORIZATION'] variable that PHP uses to populate the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables. These are what WooCommerce uses for basic authentication.

Solution 1:

Update your sites `.htaccess` file:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Specifically/simply include E=HTTP_AUTHORIZATION:%{HTTP:Authorization}, in the first [L]

For reference the default htaccess file should look like

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

We have found this solution works well for customers that use GoDaddy Hosting.

If you use a multi-site setup or an alternative web service like nginx you'll need to use some different modifications (although if you are using nginx you likely have more control over your server setup and can fix the issue on the web server level.

Solution 2:

The above solution will result in apache populating the `$_SERVER['REDIRECT_HTTP_AUTHORIZATION']` variable (Apache prepends `REDIRECT_` to the variable). This sn’t used by WooCommerce but we have added some additional support in the helper plugin to try and work around this.

The next approach we’ve seen work well is to instead add the following to your apache configuration (sometimes it will be there already by commented out depending on your version of apache):

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

For best results it can go in your main/global apache configuration file (e.g. `apache2.conf` or `httpd.conf` or individual sites config). This should result in all the variables being populated based on our testing.

If modifying the main config is not an option it can also be placed in your `.htaccess` file above the WordPress rules. Like with Solution 1 this will result in the `$_SERVER['REDIRECT_HTTP_AUTHORIZATION']` variable being populated but we have some additional support in the helper plugin.

Solution 3:

If you are using mod_proxy or mod_proxy_fcgi and apache 2.4.13+ there is also a CGIPassAuth directive that can be used within your main apache config file or .htaccess

CGIPassAuth on

Ref: https://github.com/WP-API/WP-API/issues/2512#issuecomment-280539514
 

For apache versions prior to 2.4.13 workaround 2 will probably be your go-to.

Solution 4:

If you use mod_fastcgi another approach we've seen work is to make sure your virtual host fast cgi configuration uses the `-pass-header Authorization` option/flag.

For example within your `<VirtualHost></VirtualHost>` you’ll want to have something that looks like (including the `-pass-header Authorization`):

SetHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi virtual
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.0-fpm.sock -pass-header Authorization

Alternatively, the following may work for you depending on your set up:

FastCgiConfig -pass-header Authorization
Did this answer your question?