Micropub, htaccess, and Reclaim Hosting

@timmmmyboy thanks for your help in trying to figure out the difficulties we are having.

I have talked to fiver other folks with ReCLAIM who use the indieweb micropub plug-in with WordPress so we can publish with third party clients.

All of the sudden we can no longer have our endpoints get passed the header authorization. The plugin maintainer suggested maybe you need to whitelist our headers but I do not know what that means.

Any help you can offer to figure out why we lost functionality would be great.

Unfortunately I don’t know what that means either so I would need more specifics. Also are you saying you used to be able to do this and no longer can? When did that change for you? I thought we tested and ruled out the header issue by adding the recommended htaccess line.

Yes I was able to pass the header authorization scripts folks wrote to try and diagnose the problem. I think I have my console still open I can probably look at my Curl tests to find the date.

Yes it all just stopped working for everyone I know on ReClaim who uses the micropub plug-in.

And if you keep answering support tickets this late I will make sure to only file them during business hours.

Somewhere between May 16th-17th is my best estimate. But I will ask others.

What Micropub client do you use? Or have you tried different ones? I can’t think of a single thing that would have changed for all servers that recently (we’re way less strategic than that about updates and changes at the server level). If it was a specific site that can’t communicate with Reclaim sites it could be a firewall issue which we do have a global firewall that could make some sense.

I have tried them all. Quill, Indigenous (Android), and OmniBear (though that has unrelated token issue)

They are super cool way to publish to WordPress.

Darn I was hoping you made some global change for GDPR so Jim could still tickle his fancy in Italy.

Micropub is still working on my Known instances. I was trying to compare the two htaccess files and cut and paste my way to glory but it did not work.

WordPress 4.9.6 was released on May 17th. That’s the only global thing I can think. Perhaps the plugin isn’t compatible for some reason? Or are you still on 4.9.5?

We are on 4.9.6 and the speculation was the update did it but the strange thing is only folks in the community affected are those who are on ReClaim Hosting and use htaccess.

Can I revert to 4.9.5 and test?

actually found one my 14,212 blogs with 4.9.5 still on it. Let me try that,

Not to throw you for a complete loop but I did a fresh install of WordPress 4.9.6 on Reclaim in my own account, https://micropub.timowens.io. I installed the plugin, setup the social profile so I could login. Made sure I was completely logged out of WordPress. Authenticated with Quill, and posted this from there https://micropub.timowens.io/uncategorized/test-content/. No other modifications were made at the server level or to the install (I didn’t even touch .htaccess).

Wow thank you this is great help.

So @timmyboy I did the same:

https://indieweb.jgregorymcverry.com/blog and I still get:

(had to use image, I can’ t post more than four links)

I tried only using the micropub plug-in alone, all the indieweb plug-ins activated, both local endpoint and both indieauth endpoints, both local endpoints and indie indiauthendpint with all and none of the plug-ins.

I did not change the .htaccess file. What would be different about your set up than mine?

Here is what I did (and I did it in your account as well to ensure this isn’t a server issue):

  1. Fresh install of WordPress (this one is at https://indieweb.jgregorymcverry.com).
  2. Install Micropub plugin
  3. Go to Quill
  4. It detects all the endpoints and needs to authenticate
  5. I setup a static homepage with a link to my Github profile with rel=“me” so that I can use IndieAuth
  6. Update my Github profile and I authorize Quill to the domain
  7. Post an update and it goes through: https://indieweb.jgregorymcverry.com/uncategorized/7/

I don’t know how that differs from what you’re doing. I haven’t used any other plugins, themes, or any other methods. But clearly it’s not an issue of anything server-side so at this point I’ll defer to people who have a better understanding of the “IndieWeb”.

You are awesome. I was going through and determining what has happened. this will be hugely helpful.

Hey everyone with @timmyboy’s help I have figured out the problem. The indieauth plug-in is currently breaking micropub. If you turn it off it will work.

Hey all, Has anyone found a solution to this issue? I have the IndieAuth plugin installed and can’t seem to use my site to log in to Indigenous. I have tried all kinds of things to get this to work and then got some advice that there might be a problem with Apache that needs to be dealt with via Reclaim. Here’s some additional information:

My plug-ins page gives me this message:
In order to ensure IndieAuth tokens will work please perform this check: [Check Script]

When I run the script, I get the following:

Authorization has Failed

The authorization header was not returned on this test, which means that your server may be stripping the Authorization header. If you are on Apache, try adding this line to your .htaccess file:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1'
If that doesnt work, try this:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
If that does not work either, you may need to ask your hosting provider to whitelist the Authorization header for your account. If they refuse, you can pass it through Apache with an alternate name. The plugin searches for the header in REDIRECT_HTTP_AUTHORIZATION, as some FastCGI implementations store the header in this location.

I have tried adding the suggested lines to the .htaccess file. I see that Greg mentioned “whitelist” in the exchange from a year ago. Anyway, can anyone help?

Around the same time this thread was started @jgmac1106 also opened a support ticket and we tried several things and found that this was the fix, added to .htaccess:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

It was, however, a different use case in that he was using Micropub to publish to WordPress externally. It sounds like you already tried this though I’ll note there is no single quote at the end of the line. Regardless I don’t believe this is a hosting issue so you’ll need to consult with the developers or other community members about best practices given it’s specific to a particular use case with software rather than something concrete with our environment. I mentioned previously in this thread there’s no such thing in our environment as “whitelisting a header” so I think the developer’s documentation doesn’t apply to our environment.

@timmyboy fix did the truck for me and I can use micropub clients to publish to WordPress