The system-wide user authentication implementation causes friction and breaks the WooCommerce REST API authentication

[mrdarrengriffin]

Quick summary

Studio handles authentication differently from the native WordPress functionality in that the session is not scoped to the browser via cookies but the entire system. This adds friction when needing to test unauthenticated logic as when going incognito, using a different browser or using Postman results in you still being authenticated.

In addition, this breaks how WooCommerce handles the REST API authentication as being authenticated bypasses the other methods of authentication (such as Basic Auth and even OAuth 1.0 via headers or GET params)

Steps to reproduce

Browser sessions:

1. Start a Studio site and open the site
2. You will automatically be logged in as the admin user (this is fine)
3. Using a fresh Chrome Incognito session - The user is still authenticated
4. Using a different browser (Edge) - The user is still authenticated
5. Logout of the session
6. Visit steps 3 & 4, the user is now logged out
7. Re-authenticate using the credentials from Studio
8. Visit steps 3 & 4, the user is now logged in

WooCommerce API:

1. Start a Studio site and open the site
2. You will automatically be logged in as the admin user (this is fine)
3. Create a WooCommerce REST API key. Note down the consumer key and secret
4. Using Postman with Basic Auth
   1. Create a GET request to http://localhost:8881/wp-json/wc/v3/products
   2. Use Basic Auth as the authentication using consumer_key as the username and consumer_secret as the password
   3. Submit the request, you are returned a 401
5. Using Postman with consumer details in GET params
   1. Create a GET request to http://localhost:8881/wp-json/wc/v3/products?consumer_key={consumer_key}&consumer_secret={consumer_secret}, replacing consumer_key and consumer_secret with the actual values
   2. Submit the request, you are returned a 401
6. Using Postman with OAuth 1.0 (Request headers)
   1. Create a GET request to http://localhost:8881/wp-json/wc/v3/products
   2. Use OAuth 1.0 as the authentication using HMAC-SHA1 as the Signature Method, consumer_key as the Consumer Key and consumer_secret as the Consumer Secret
   3. Submit the request, you are returned a 401
7. Using Postman with OAuth 1.0 (GET params)
   1. Create a GET request to http://localhost:8881/wp-json/wc/v3/products?oauth_signature_method=HMAC-SHA1&oauth_consumer_key={consumer_key}&oauth_consumer_secret={consumer_secret}, replacing consumer_key and consumer_secret with the actual values
   2. Use OAuth 1.0 as the authentication using HMAC-SHA1 as the Signature Method, consumer_key as the Consumer Key and consumer_secret as the Consumer Secret
   3. Submit the request, you are returned a 401
8. Logout of the WordPress session
9. Repeat 4, 5, 6 and 7. This time, the API will work correctly

What you expected to happen

Authentication should only be scoped to the browser session using cookies. The implementation of the global authentication goes against the standard implementation and adds friction to how we develop and test within WordPress.

When I use Incognito, another browser or Postman, they should all be unauthenticated if not previously logged in.

A solution could be to make another must-use plugin that allows authentication using GET params that Studio app can then use within the links in the settings area. As it opens the default browser, it will not change anything about the current implementation other than that it's now scoped to that session, like normal. This will then allow Incognito sessions, other browsers and Postman requests to work independently

What actually happened

Authentication should ideally not be system-wide and still rely on browser cookies. At present, using the WooCommerce REST API is tedious as I need to logout every time I want to test a route.

Impact

All

Available workarounds?

Yes, difficult to implement

Platform

Windows

Logs or notes

No response

[danielbachhuber]

Great bug report, @mrdarrengriffin ! Thank you 😊

[mrdarrengriffin]

Thanks @danielbachhuber. I am going to start familarising myself with this codebase and see if I can fix it myself and make a PR but time is scarce! Thanks for acknowledging

[fluiddot]

I couldn't manage to get a successful response from the WooCommerce REST API using API keys. As far as I checked the code, basic authentication is only enabled when using SSL (reference) which is currently unsupported in the Studio app (#191). The only method that would work is using OAuth which doesn't require SSL.

Regarding the system-wide user authentication, I'm currently working on a solution to match a more common behavior.

[fluiddot]

A first step to solve this issue has been implemented in WordPress-Playground: WordPress/wordpress-playground#1753

[fluiddot]

This issue will be solved in #532 🎊 .