WordPress REST API cannot_create JavaScript

Hello.
I am currently trying to create a WordPress article from one WP site to another. For that I use OAuth 1.0 and the Disable Rest API plugin (both are used for authentication). I use JavaScript to link and I also use POSTMAN to do my tests.

A POST request with postman will pass without worries or from my site that sends the information, only the GET requests pass, otherwise, the site that receives the information denies me access this way:

{
"code": "rest_cannot_create",
"message": "Sorry, you are not allowed to create new posts.",
"data": {
"status": 401
}
}

I do not understand why I can execute a GET request to read the content but that I can not create content in POST.

Could you help me ? I also give you the JavaScript code that I already did. I use Create-React-App. Thanks very much.

import oauthSignature from 'oauth-signature';

/**
* PARAMS
*/

		  function genNonce() {
			    const charset = 'ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz'
			    const result = [];
			    window.crypto.getRandomValues(new Uint8Array(11)).forEach(c =>
			        result.push(charset[c % charset.length]));
			    return result.join('');
			}

		  var oauth_consumer_key = "FXdnpsRLUIkb";
		  var oauth_token = "ajJxPGcMvB3NVBwQW7d2i1nN";
		  var oauth_signature_method = "HMAC-SHA1";
		  var oauth_timestamp = Math.floor(new Date().getTime()/1000);
		  var oauth_nonce = genNonce();
		  var oauth_version = "1.0";

		  /**
		   * SIGNATURE
		   */

		  var httpMethod = 'GET',
		    url = 'https://mylink.pw/wp-json/',
		    parameters = {
		        oauth_consumer_key : 'FXdnpsRLUIkb',
		        oauth_token : 'ajJxPGcMvB3NVBwQW7d2i1nN',
		        oauth_nonce : oauth_nonce,
		        oauth_timestamp : oauth_timestamp,
		        oauth_signature_method : 'HMAC-SHA1',
		        oauth_version : '1.0',
		    },
		    consumerSecret = 'q2bxo5hu6rYtcdWrv1hRDyY3dQA3Itsbn6foAtz1mOFgYM7b',
		    tokenSecret = 'bcZ8kgL7EDekJm1ogUctm89My7w3K1bZxIYqCZAdoEwHbIfE',
		    signature = oauthSignature.generate(httpMethod, url, parameters, consumerSecret, tokenSecret,
		        { encodeSignature: false});

		  var oauth_signature = signature;


		  var connect_params = "&oauth_consumer_key=" + oauth_consumer_key + "&oauth_token=" + oauth_token + "&oauth_signature_method=" + oauth_signature_method + "&oauth_timestamp=" + oauth_timestamp + "&oauth_nonce=" + oauth_nonce + "&oauth_version=" + oauth_version + "&oauth_signature=" + oauth_signature + "&context=edit";



		  /**
		   * ENVOI
		   */
		  var data = "title=TITLE&content=CONTENT&excerpt=EXCERPT&status=publish" + connect_params;

		  var xhr = new XMLHttpRequest();
		  xhr.withCredentials = true;

		  xhr.addEventListener("readystatechange", function () {
		    if (this.readyState === 4) {
		      console.log(this.responseText);
		    }
		  });

		  xhr.open("POST", "https://mylink.pw/wp-json/wp/v2/posts/");
		  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
		  xhr.send(data);  

Hi @skipperquark,

Thanks for being part of the GitHub Community Forum! We’re glad you’re here.

I wanted to jump in here, and mention that if you don’t get the help you’re looking for from this particular community, you might want to try getting help somewhere that focuses on WordPress. It’s definitely possible another GitHub user might have run into this same issue and can help, but the GitHub Community Forum focuses primarily on topics related to GitHub, Git, and development projects hosted on GitHub. We want to make sure you’re getting the best support you can, but this forum may not be the right place for this particular topic.

Best of luck!

Hi @skipperquark,

I don’t have a complete answer for you, but as a 401 error response is a “permission denied” error, I would say that your app isn’t authenticating correctly via the API. This could mean that it is sending the wrong headers or that it is connecting as a user account that doesn’t have permissions to create posts (or create posts via the API).

The reason that your GET requests go through fine is probably because GET requires less permissions since it doesn’t modify the data.

Hope that helps!