[wp-trac] [WordPress Trac] #63754: Application password with REST API fails when logged in (Unauthorized), works when logged out — Regression from WP 6.8.2
WordPress Trac
noreply at wordpress.org
Mon Aug 11 15:54:50 UTC 2025
#63754: Application password with REST API fails when logged in (Unauthorized),
works when logged out — Regression from WP 6.8.2
-----------------------------------+------------------------------
Reporter: elabinnovations | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 6.8.2
Severity: blocker | Resolution:
Keywords: close | Focuses:
-----------------------------------+------------------------------
Changes (by mindctrl):
* keywords: reporter-feedback => close
Comment:
Hi @elabinnovations, thanks for the extra details. I'm able to reproduce
the issue, but only with your plugin. Without your plugin, I can login
simultaneously via browser using the typical cookie-based session, and I
can also login and make REST API requests via Bruno using my App Password.
Neither gets automatically logged out or rejected.
I only took a quick look at your plugin code, but I'm guessing there's
some auth issue within. I noticed some places where you call `check_auth`
manually while passing the `$request` param, but your implementation of
`check_auth` doesn't accept parameters and doesn't reason about the
request object. Since that method is defined as your
`permission_callback`, it will be automatically called (and receive the
`WP_REST_Request $request` param) by WordPress. That alone seems like it
might create issues.
I don't think this is an issue with WordPress itself, and is some issue
with the auth code within your plugin. I'm going to propose this ticket be
closed, but maybe we can get a second opinion here to confirm.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63754#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list