通过子域中的API通过Wordpress Cookie进行身份验证

Question

I want to access the current logged in Wordpress user in a separate Laravel installation.

Wordpress is running as website.com and I've got a subdomain with tool.website.com with the Laravel application (on another server but same domain).

I'm using the Native Wordpress API and created an authentication route.

The issue:

When I access the /authenticate route directly, the user ID is returned and works correctly. But when I access the route through tool.website.com false is returned..

Things I've got working:

I've created an API request which returns the user id in an API call:

add_action( 'rest_api_init', function () {
  register_rest_route( '/authenticate', array(
    'methods' => 'GET',
    'callback' => 'authenticate',
  ) );
} );

The function looks like this:

$user_id = wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' );

The WP cookie is available on both the sub / main domain. I can see they are identical and toplevel.

define('COOKIE_DOMAIN', '.website.dev');

Things I've tried:

• Using wp_get_current_user() to retrieve the user, this seems to need a nonce. I experimented hours and hours with the nonce approach on many different ways, but I could not get this to work (false or 0 was returned). I understand this is due to restrictions of using a nonce from outside of Wordpress.
• Using the default native API approach to get the user, also needs the nonce.
• Reading the https://developer.wordpress.org/rest-api/ manual, git repository & several articles / comments online.
• Thinking about the OAuth approach, but I do not want users to login again as they are already logged in when they reach the tool.
• Sending stuff like posts etc works without problems, so the API connection is not the problem.

I'm wondering if my approach is in the right direction. Hopefully someone can give me some guidance.

Answer 1

I found the following workaround:

- tool.website.com Send the Cookies from tool.website.com to the API as post data.

    $cookie_array = $_COOKIE; 

    // use key 'http' even if you send the request to https://...
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($cookie_array)
        )
    );
    $context  = stream_context_create($options);
    $data = file_get_contents(self::BASE_URL . "authenticate", false, $context);

- website.com Retrieve the cookie from Post data, and use the standard LOGGED_IN_COOKIE constant in Wordpress to select the correct one (this can be refactored to sending the correct cookie at once).

  // We retrieve the cookie (which is sadly not available through the API call alone)
  $the_cookie = $request->get_body_params();

  // As the cookie lives at domain level, we can use the same Cookie key in the WP API and other subdomains of this domain
  // The cookie key remains the same
  $user_id = wp_validate_auth_cookie( $the_cookie[LOGGED_IN_COOKIE], 'logged_in' ); 

This solution seems steady; hopefully it will help someone. If there are other solutions, please add them in this topic; as I'm sure there must be different ways achieving this.