Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subscription blocked by Cloudflare - invalid method PUT #8

Closed
kanaldro opened this issue Mar 10, 2021 · 8 comments · Fixed by #13
Closed

Subscription blocked by Cloudflare - invalid method PUT #8

kanaldro opened this issue Mar 10, 2021 · 8 comments · Fixed by #13
Labels
enhancement New feature or request

Comments

@kanaldro
Copy link

kanaldro commented Mar 10, 2021
edited
Loading

Hello, I just installed your WP plugin to test it out and looks like there's an issue with Cloudflare, the world's most used CDN.
The PUT http method is blocked so the subscription never gets to the server, the call to the endpoint returns a 405. error.

These are de response headers for the request:

allow: GET,POST,OPTIONS,HEAD,TRACE
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-railgun: direct (starting new WAN connection)
cf-ray: 62dfbc72391fc769-AMS
cf-request-id: 08bfb41b660000c7697f875000000001
content-type: text/html; charset=iso-8859-1
date: Wed, 10 Mar 2021 21:46:30 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"max_age":604800,"report_to":"cf-nel"}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2BDRLA2DRPHKzBo7GJlzfpNTi6tKqH3zgBj9UBRPQS3Ah58knua7oGdcLVknT%2FsN4n0V3K0286e76F9y50EBgepk%2BVMNuZWv6FnLTMA%3D%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare

and this is the response got in browser from the API endpoint:

image

Do you think you could change the way the subscription is passed from browser to server, from PUT to POST?
Thanks!

Edit: found a better explanation here: https://gridpane.com/kb/making-nginx-accept-put-delete-and-patch-verbs/
Cloudflare uses NGINX server.
@rwngallego
Copy link
Collaborator

Hello, before you reported this issue the plugin was recently updated in the marketplace. Could you please use the latest version and check if the issue still persists? We changed how we pass the _wpnonce field in the register method.

@kanaldro
Copy link
Author

Hello, I updated the plugin and I see a change in the way the nonce is passed, however the data transmission fails because of the same reason, is a PUT method.

image

@rwngallego
Copy link
Collaborator

rwngallego commented Mar 10, 2021
edited
Loading

Ok, thank you! From your screenshot I can see you use nginx as your HTTP server. So, the traffic probably works like this: Public users > CloudFare > Nginx (your website). In this case, it's nginx that doesn't allow PUT, not CloudFare, so you need to adjust your nginx settings to allow PUT. You have posted a link that gives you a hint on how to do it (they suggest using method overrides but consider that PUT is widely used and is part of the RESTful architecture).

Apart from that, the official WordPress guides for REST API says regarding those verbs:

The following convention is a best practice for matching HTTP methods: GET for read only tasks, POST for creation, PUT for updating, and DELETE for deleting. The request method acts as an indicator for the expected functionality of your endpoints. When you make a GET request to a route, you should expect to be returned read only data.

Finally, note that the fix is not to change it from PUT to POST in the plugin, as there are some other plugins that use PUT and probably won't work in your website, like the official Gutenberg: WordPress/gutenberg#2704

Please keep us posted!

@rwngallego
Copy link
Collaborator

@kanaldro after considering reports from different repositories, it's clear that there's a gain on compatibility with apache mod_security, nginx default configuration and some WAFs in doing what you suggested.

Further readings:
woocommerce/woocommerce-admin#1934
GoogleForCreators/web-stories-wp#5120
WordPress/gutenberg#2704

We will come up with a solution that either consists in using Method overrides as fallback, adding a feature flag for compatibility or changing to POST/GET methods entirely. We will be updating this ticket, thank you for your contributions!

@rwngallego rwngallego added the enhancement New feature or request label Mar 15, 2021
@kanaldro
Copy link
Author

Hello, thanks for the feedback.
You could just put a checkbox in the wp admin page, so the user can toggle PUT/POST, with a descriptive text, so the user knows that if uses nginx, cloudflare or something else it might be a good idea to click it it it doesn't work with your default setting.

@rwngallego
Copy link
Collaborator

Thank you @kanaldro, we will basically opt for compatibility and will switch completely to POST/GET methods. We have seen lots of issues in our user base and we don't want to make it difficult for them to make it work in the first run. Thank you for reporting this!

@rwngallego rwngallego mentioned this issue Mar 18, 2021
Closed
@rwngallego rwngallego mentioned this issue Mar 19, 2021
Merged
@rwngallego rwngallego linked a pull request Mar 19, 2021 that will close this issue
POST as default method instead of PUT #13
Merged
@rwngallego
Copy link
Collaborator

This has been solved and will be part of the next release v1.0.7

@rwngallego
Copy link
Collaborator

This has been released, if you find any other issue please let us know. Thank you @kanaldro

@lalokupfer lalokupfer mentioned this issue Jan 10, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

POST as default method instead of PUT perfectyorg/perfecty-push-wp
2 participants
@rwngallego @kanaldro