This adds in a script that will nag you to run it until you do. Hopefully this will help educate people on the dangers of not passing Auth headers.
Manually testing this on my site generally seems okay, but I think it contains a logic error because it is returning what must be a false positive.
I see the message in the admin UI and can click on the test which returns the message “Alternate Header Found. You are good to go.” However, when attempting to actually log into Monocle, I get the same 403 error saying that it couldn’t find the bearer token, and it won’t let me log in. So obviously I’m not “good to go.”
From a UI perspective something like “Your headers are properly configured and accessible.” may be better than the “You are good to go” which may be a more difficult construction for non-English speakers. Additionally wrapping that message in an anchor that will redirect to their admin UI might be nice.
The alternative header is REDIRECT_HTTP_AUTHORIZATION used by some servers. I didn’t in my code ensure that the bearer token is being returned and should… just that the header existed. May ask for another check after some changes
@chrisaldrich Can you check with the new code? It now checks not only for the existence of the header but that it contains the test payload
GWG, I’ve removed the prior version and reinstalled d5b91a0. I don’t get the same original notification (I’m suspecting because the original stored a value in my db that unflags the nag). However, when rerunning the diagnostic script at
/wp-admin/admin.php?page=indieauthI get the same positive response that “Alternate Header Found. You should be able to use all clients.” Sadly, I’m still getting the same old 403 when attempting to log into Monocle.