REST API - Head Tags Plugin Breaking with Password Protected


I installed the new REST API - Head Tags plugin and I want to start off by saying kudos to the team!

The plugin works great and I am running it now at: (my personal Frontity built blog). I ran into a problem though with another plugin I use named Password Protected. I use Password Protected for SEO reasons. I have found that they do not work together, and to get them to work, I had to disable caching in the REST API - Head Tags plugin.

I also found this error in my terminal when running npx frontity dev

{ FetchError: invalid json response body at reason: Unexpected token < in JSON at position 0
at eval (webpack-internal:///./node_modules/node-fetch/lib/index.mjs:276:32)
at processTicksAndRejections (internal/process/next_tick.js:81:5)
   'invalid json response body at reason: Unexpected token < in JSON at position 0',
  type: 'invalid-json' }

Just wanted to let the team know and perhaps there might be a fix.

I’ll be looking into the issue further myself if/when I get the chance.


Hi @ShaGui and thank you for your positive feedback :raised_hands:

I don’t know that plugin, but a first sight it looks like it’s redirecting the REST API calls to a HTML form and asking for a password. As the fetch function is expecting to receive JSON code, it fails and Frontity returns that error.

Maybe there is an option in that plugin to ignore the REST API urls, I guess?

I’ve been taking a quick look and it doesn’t look like the plugin has native support to ignore certain URLs. There’s someone who has hacked it to add this support:

The plugin has the option to Allow REST API Access as can be seen in the image below:

I have the plugin enable as of right now, and it is working with this setting off:

With Password Protected enabled, I do have access to the REST API, and as soon as I enable the Heads Tags plugin, the calls to the REST API break. It seems like there is some minor change made to the REST API JSON file by both plugins which leads to it breaking the calls. I’ll try and see what they change is.

Further details.

I have found that when I enable the REST API - HEAD Tags plugin in the settings, it is redirecting me to Password Protected’s request for a password. This does not occur when I disable the REST API - Head Tags plugin in the settings. I believe this is what @David and @Pablo was talking about. That being said, it should not be an issue, as Password Protected is supposed to access to the REST API and works with no issues until REST API - HEAD Tags is turned on in the settings.

I am beginning to think that when I enable the REST API - HEAD Tags plugin, it is perhaps changing the original REST API JSON file URL.

I’ll explore further.

Oh, I think I know what happens.

In order to get the tags inside the head element for a particular post /page / etc. , the plugin is changing the WordPress main query and “rendering” the HTML content of the head. After that, the HTML is converted to a JSON and the WordPress main query is restored.

I am almost sure that Password Protected is blocking the REST API just when the main query is changed.

We’ll investigate to see how we can solve it. Thanks for reporting, @ShaGui!

1 Like

Password protected has a hook to overwrite its behavior. Maybe we can use it deactivate it if it’s a REST API request. Could you please try this?

apply_filters( 'password_protected_show_login', function() {
  return !defined('REST_REQUEST');
}, 10);

I haven’t tested the code so please run it first in your development environment!

@luisherranz I tried the code and it made no difference unfortunately. I believe that @David may have the solution, but I can’t be sure as I’ve tried going over the code in Password Protected and the REST API plugins and it is a little over my head at this moment :sweat_smile: Hopefully there is a solution though :grin: