Fetching drafts forbidden in Wordpress rest api

Question

I am using the wpapi npm module to interface with the WP rest api in a node app. I am authenticated and my user created some draft posts. When I go to the dashboard with the same credentials, I can see/edit the draft posts as well.

I am using this method to list the drafts:

wp.posts().auth().param( 'context', 'edit' ).param( 'status', 'draft' )

But I keep getting this error:

{ code: 'rest_invalid_param',
  message: 'Invalid parameter(s): status',
  data: { status: 400, params: { status: 'Status is forbidden.' } } }

Here's where I've commented on the issue and some helpful context.

The curl response to http://localhost:8000/wp-json/wp/v2/posts?status=draft is the same error message so I don't believe the issue is with the node module.

Answer 1

I'm the author of the wpapi module, this issue ended up on our issues list https://github.com/WP-API/node-wpapi/issues/325 and represented a bug that we've fixed in the latest release.

Authentication is required when querying for drafts, and not providing authentication can result in this 400 error; however, as noted in the linked issue above, authentication was working for one-off requests. Why the 400? What was happening was that inside wpapi requests we did not properly forward authentication credentials when paging through a collection, so the request to the first page of results would return a 200, then the second page would return a 400 because the second request lacked authentication. We've resolved this bug by always passing on the authentication credentials when paging through collections, and hopefully this doesn't trip anyone else up.

General troubleshooting if you do encounter a 400:

• Are you sure you're authenticated? (try hitting /users/me)
• Does your user have the capabilities required to view draft posts?

And we welcome issues if you do find bugs like this!