Unable to perform REST requests

I am trying to create a post on Wordpress website, on VPS, using REST API, with Postman.
To do that I am using the default, admin user and generated application password, but instead of creating the post I am getting the following response:

{
    "code": "rest_cannot_create",
    "message": "Sorry, you are not allowed to create posts as this user.",
    "data": {
        "status": 401
    }
}

I have also tried alternative endpoint with curl. here is the command:

curl --user "ADMIN_USERNAME:APP_PASSWORD" https://host/wp-json/wp/v2/users?context=edit

but the response i’m getting is:

{"code":"rest_forbidden_context","message":"Sorry, you are not allowed to list users.","data":{"status":401}}

I also tried the same curl command after logging into the VPS SSH, but with same result.
here is the content of .htaccess file:

CGIPassAuth On
# BEGIN WordPress

RewriteEngine On
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

VPS uses Apache as web-server and PHP 7.4 CGI.
Wordpress in use is WordPress 5.9.3, with all defaults, setup via one-click install from Dreamhost Panel.

GET endpoints work fine.

I would appreciate any insight on this one.

i have also tried enabling corse using following code:

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: Authorization, X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
header("Allow: GET, POST, OPTIONS, PUT, DELETE");

i have double checked in response: headers are there. no result.

apparently dreamhost strips the Authorization header, ignoring the .htaccess.
tried that by printing the headers + $_SERVER and getenv(). no mentioned of authorization header there, even when explicitly defined.

another finding, it seems that i’m unable to set environment variables at all with either of the 2 methods that i am aware of.
here is the updated .htaccess file:

CGIPassAuth On
SetEnvIf MYTESTHEADERNAME (.*) TEST_ENV_VAR=$1
# BEGIN WordPress

RewriteEngine On
RewriteRule .* - [E=ANOTHER_TEST_ENV_VAR:%{HTTP:MYTESTHEADERNAME},L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

when using:

<?php
$env = getenv();
foreach ($env as $key => $value) {
	echo $key.":".$value."\n";
}

?>

i can see HTTP_MYTESTHEADERNAME:123 in the output, but no mention of neither TEST_ENV_VAR nor MYTESTHEADERNAME.

i tried out switching to nginx, instead of apache, to check if the behavour is same in a sense of stripping the Authorization header and nginx did not. i will stick with nginx for now.

check out https://help.dreamhost.com/hc/en-us/articles/217477738-Nginx-web-application-configurations for more information on how to setup the nginx to work with wordpress. specifically pay attention to the Permalinks section.
if you have the default Dreamhost Wordpress installation, you’d probably be better with the WP Super Cache section, since the plugin is installed by default.

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.