WooCommerce REST API – Multisite issues (401 / 403)

evance · August 13, 2021, 3:46pm

Hey there – I am facing some trouble with my Trellis Multisite setup running WooCommerce and am hitting a wall here… Maybe some of you have been working with WooCommerce in a Multisite context and can lend a hand here?

The issue revolves around the REST API & especially the WC-endpoints since the regular endpoints can be reached fine (f.ex. /wp-json/wp/v2/posts) but everything within the WC-context renders a 401 error woocommerce_rest_cannot_view (f.ex. /wp-json/wc/v3/products) when being accessed directly.

This in turn renders the wc-admin-calls in the backend useless and I receive blank pages / console errors when trying to access WC’s admin pages like /wp/wp-admin/admin.php?page=wc-admin or any reports, list views and such.

Here I am seeing another error code: 403 rest_cookie_invalid_nonce – I suspect that both errors are connected…

I am logged in as super admin but this also happens when using a regular shop manager user role.

Accessing the WC REST API endpoints via Postman works fine when explicitely passing Basic Auth.

Find below the debug infos / HTTP calls for a) the regular site (= non-multisite) where things are working fine and b) the multisite-setup.

Appreciate your time and looking forward to any insights.

Thanks + regards,
Henning

Regular Site

https://abc.xyz/wp-json/wc-admin/options?options=woocommerce_ces_tracks_queue&_locale=user
Status 200 OK
Version HTTP/2
Übertragen 1,03 KB (38 B Größe)
Referrer Policy strict-origin-when-cross-origin

RESPONSE HEADER_

HTTP/2 200 OK
server: nginx
date: Fri, 13 Aug 2021 15:04:19 GMT
content-type: application/json; charset=UTF-8
vary: Accept-Encoding
x-robots-tag: noindex
link: <https://abc.xyz/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0, no-store
x-wp-nonce: xxx
x-qm-overview-time_taken: 1.2853
x-qm-overview-time_usage: 1.1% of 120s limit
x-qm-overview-memory: 40,679 kB
x-qm-overview-memory_usage: 15.5% of 262,144 kB limit
allow: GET
strict-transport-security: max-age=31536000; includeSubDomains;
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-ua-compatible: IE=Edge
content-security-policy: frame-ancestors 'self'
x-frame-options: SAMEORIGIN
content-encoding: gzip
X-Firefox-Spdy: h2

GET /wp-json/wc-admin/options?options=woocommerce_ces_tracks_queue&_locale=user HTTP/2
Host: abc.xyz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, */*;q=0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://abc.xyz/wp/wp-admin/admin.php?page=wc-admin
X-WP-Nonce: xxx
DNT: 1
Connection: keep-alive
Cookie: wordpress_test_cookie=WP+Cookie+check; tk_ai=woo%3AqACvsxxxDtWS1qo2d; ac-section_ls-settings=1; wordpress_logged_in_81cbe244xxxcd9f53af05e8=hs_sadm1n%xxx%7CewwhmktcpOhYyX0McpXxxxxZUEygpobLWE8FEjY%7C70c95xxxfa75a7bf0c0e276fdd77119da0xxx8200abbcf3efa8xxx8
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

Multisite

https://multi.abc.xyz/wp-json/wc-admin/options?options=woocommerce_ces_tracks_queue&_locale=user
Status 403 Forbidden
Version HTTP/2
Übertragen 858 B (105 B Größe)
Referrer Policy strict-origin-when-cross-origin

RESPONSE HEADER_

HTTP/2 403 Forbidden
server: nginx
date: Fri, 13 Aug 2021 15:02:26 GMT
content-type: application/json; charset=UTF-8
vary: Accept-Encoding
pragma: no-cache
x-robots-tag: noindex
link: <https://multi.abc.xyz/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: frame-ancestors 'self'
x-frame-options: SAMEORIGIN
x-robots-tag: noindex, nofollow
content-encoding: gzip
X-Firefox-Spdy: h2

GET /wp-json/wc-admin/options?options=woocommerce_ces_tracks_queue&_locale=user HTTP/2
Host: multi.abc.xyz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, */*;q=0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://multi.abc.xyz/wp/wp-admin/admin.php?page=wc-admin
X-WP-Nonce: xxx
DNT: 1
Authorization: Basic aGFja2U6c3BpdHplIQ==
Connection: keep-alive
Cookie: ju-dismiss-warning-requirement-wp-media-folder=1; tk_ai=woo%3AyQp7D94vaMlG%xxx; wordpress_sec_61571b6705fbc80d96d053ee3xxxx=hs_sadm1n%xxxx%7CdD4ljxW9rDeEdEjSYp5dp5RLeqsq3zxxxxNGtTq%xxxx; PHPSESSID=f259ce5ba3xxx3b234453ee7ff2ee; wp-saving-post=14455-saved
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

strangeways · August 13, 2021, 9:24pm

I have a multisite network, as well, however I’m not using the REST API much, yet. I have been keeping an eye on Frontity’s development, specifically related to Woocommerce compatibility, which they currently have a proof-of-concept for. I would check in with their forum at https://community.frontity.org/ since a React front-end is entirely dependent on the REST API. Seeing that they have made in-roads with Woocommerce, maybe someone over their has experienced this issue and can help?

evance · September 13, 2021, 7:51am

Fixed it in the end – was a crude mix of Cookie-Path related stuff

This is the corresponding Bedrock config if someone else is wondering:


/** 
 * Multisite setup
 * Do NOT use 'Config::define' for any other constants besides 'WP_ALLOW_MULTISITE' here...!
 * @link https://discourse.roots.io/t/not-sure-how-to-get-multisite-functional-in-dev-environment/15701/2
 */
Config::define('WP_ALLOW_MULTISITE', true);

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', true);
define('DOMAIN_CURRENT_SITE', env('DOMAIN_CURRENT_SITE'));
define('PATH_CURRENT_SITE', env('PATH_CURRENT_SITE') ?: '/');
define('SITE_ID_CURRENT_SITE', env('SITE_ID_CURRENT_SITE') ?: 1);
define('BLOG_ID_CURRENT_SITE', env('BLOG_ID_CURRENT_SITE') ?: 1);
define('WP_DEFAULT_THEME', 'storefront');

/**
 * Use DOMAIN_CURRENT_SITE as the cookie domain. This ensures cookies and
 * nonces are using the correct domain for the corresponding site. Without
 * this, logins, REST requests, Gutenberg AJAX requests, and other actions
 * which require verification will not work.
 */
Config::define('ADMIN_COOKIE_PATH', '/');
Config::define('COOKIE_DOMAIN', env('DOMAIN_CURRENT_SITE'));
Config::define('COOKIEPATH', '/');
Config::define('SITECOOKIEPATH', '/');

system · September 24, 2021, 3:53pm

This topic was automatically closed after 42 days. New replies are no longer allowed.