search

Tmeister / wp-api-jwt-auth

A simple plugin to add JSON Web Token (JWT) Authentication to WP REST API
GNU General Public License v2.0
558 stars 161 forks source link

The plugin should support HTTP-Only cookie [proposed Label] enhanchment #106

Closed caraffa closed 1 year ago

caraffa commented 6 years ago

The use of a header for exchanging the token is fine for most cases, but support for HTTP-Only cookies would be a plus for those seeking higher safety against XSS. In your class-jwt-auth-public.php, inside the validate_toke() function you could write something like:

$auth = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : false;

/* Double check for different auth header string (server dependent) */
if ( ! $auth) {
    $auth = isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : false;
}

if ( ! $auth) {
    $auth = isset($_COOKIE[JWT_COOKIE_NAME]) ? $_COOKIE[JWT_COOKIE_NAME] : false;
}

where JWT_COOKIE_NAME can be a constant, defined, for example, in wp_config.php

xenogenesi commented 5 years ago

I'm interested too in having the jwt stored in a http-only cookie, but beside setting the cookie in /token and checking it for each endpoint, there shouldn't be some protection from CSRF attacks?