My "Additional Route" Breaks my /wp-admin/* Pages. WP REST API Issues


Hopefully, someone can help guide me in the right direction or give me some insight into this issue.

We have a WordPress site and we are using the Official AMP Plugin Reader Theme since our theme is not AMP compatible. We found out that the AMP Project has released a worker - to optimize AMP pages. The steps will be listed below of what we have done.

RECENT UPDATE: I found out how to set the worker’s route to none to bypass the /wp-admin/ , /wp-json/ , /wp-login.php*, and /wp-register/ pages. There is no longer a {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}} error. There are other issues though:

  • The worker will no longer kick anyone who is logged in out.
  • You can also log in but no one would know they’re logged in because the frontend looks as if you’re still logged out, i.e. you still see login and register with no profile links. This also pertains to admins. In order to get to the admin pages, you need to fill in wp-admin in the URL.
  • The admin bar is completely disabled when browsing the site via the frontend.

Now, I just need to figure out how to stop the worker from being an expletive and just worry about and optimize my AMP pages. Unfortunately, there is no way to set a Query Parameter so I’ll try and figure out what else I can do for the worker to bypass certain things. If anyone has any insight into this I would greatly appreciate it!

UPDATE: I created a subdomain and added the DNS records to Cloudflare. Then I activated the worker and routed it to my subdomain. I have had none of the following issues in terms of logging in or being logged out. There was no {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}} error or Invalid nonce! error and I could access my /wp-admin/* pages just fine.

If that’s the case, what in the world could cause that {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}} error I mentioned with my domain?

We followed all of the instructions listed in the above repo. I used their command, npx @cloudflare/wrangler generate my-worker to create the worker using that repo as a reference. I enabled the KV Cache via the config.json file and created the environments and KV bindings as instructed with the command wrangler kv:namespace create "KV" --env=prod and wrangler kv:namespace create "KV" --env=prod --preview. This same process was done with the beta and dev environments. After the wrangler.toml and config.json files were configured per that repo’s instructions, I used the command npm run prod # calls wrangler publish --env=prod. You can see my example repo here -

The weird thing is, that wrangler publish command I listed above, npm run prod # calls wrangler publish --env=prod, to publish my project doesn’t seem to publish the prod environment at all as I cannot see any added Environment Variables or KV Namespace Bindings via Settings of the worker.

On top of that:

  1. There are thousands of “Client Disconnected” and “Script Threw Exception” errors with very few Success requests.
  2. Also, I see a KV is not defined error in the console.
    cache not defined
  3. The route I added gets added to the worker’s “Additional routes” -* - as expected. However, this prevents me from being able to access any of my /wp-admin/* pages, therefore, admins nor anyone else can log in to our site and everyone gets logged out. It simply redirects everyone back to the login page.
  4. If I use my host or WPMUDEV to log into our admin account to WordPress, I receive this error: {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}}. I looked that up and it seems to be a cache issue or a conflict with the WP REST API.

I also published the worker then add the Environment Variables and KV Namespace Bindings manually and the errors are gone but the {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}} error is still there.

When I use the command wrangler publish --env=prod instead of npm run prod # calls wrangler publish --env=prod, however, it tells me, of course, I need a route to publish that environment, so I add the route, which is the same as in method 1, and it publishes that environment along with the “Environment Variables” and “KV Namespace Bindings”:

I can now see the “Environment Variables” and “KV Namespace Bindings” in the “Settings” of the worker without having to add them manually. However, my “Additional route” that is added to the worker still prevents all users from logging in and logs out all users. When this project is published, there are no KV is not defined errors or “Client Disconnected” and “Script Threw Exception” errors. It’s all successful requests. I cannot keep the additional route enabled and the route is null so that is kept deactivated.

Other things I have done:

  1. I have deactivated all of my plugins
  2. Cleared my cache and cookies
  3. Prevented WP Rocket and Cloudflare from caching /wp-json/, /login, /wp-admin/*, and /register.
  4. Set the Browser Cache TTL and Edge Cache TTL is set to 4 hours
  5. Changed to the default theme
  6. Removed my .htaccess file
  7. I have deactivated all of my plugins, .htaccess file, and put Cloudflare in Development Mode at the same time
  8. Finally, I disabled REST API and restricted it to authenticated users.

Nothing has worked, unfortunately. I cannot seem to find an answer for what is causing this issue and I would love some help as to why this is!

My Questions:

  1. How do I fix that {"code":"rest_cookie_invalid_nonce","message":"Cookie nonce is invalid","data":{"status":403}} error?
  2. Is that error on my end or the worker’s end?
  3. Is there a way to restrict the worker from messing around with the WP REST API or why is it affecting that and how do I stop it so we can finally use the Cloudflare AMP Optimizer worker?

Thanks and regards