search

Tmeister / wp-api-jwt-auth

A simple plugin to add JSON Web Token (JWT) Authentication to WP REST API
GNU General Public License v2.0
558 stars 161 forks source link

Custom endpoint is unprotected? #132

Closed flolege closed 5 years ago

flolege commented 5 years ago

I installed the Plugin and it basically works: I make a POST request to [mypage]/wp-json/jwt-auth/v1/token and I get back the correct JSON containing the token. So the plugin seems to be installed correctly.

Then I tried another endpoint: [mypage]/?rest_route=/wp/v2/users/register and expected the request (without authorization header) to be rejected by the JWT Plugin since the documentation mentions:

“The wp-api-jwt-auth will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.”

But to my surprise, the request worked. This is how the endpoint is set up on the server:

register_rest_route('wp/v2', 'users/register', array( 'methods' => 'POST', 'callback' => 'wc_rest_user_reg_ep_handler', )); I thought all endpoints are protected by the JWT Plugin?

I read about the permission_callback but I think this is just a method to check user permissions. Which I thought I do not need, because my understanding is that the plugin rejects all invalid requests without token anyway. So in my endpoint I should be sure that the user has a valid token, thats enough for me.

Where am I wrong?

flolege commented 5 years ago

I think I lack general understanding of the concepts here. Can someone confirm my guess: If I want to protect my custom endpoints via JWT authentication, I should add a permission_callback which just does the "is_user_logged_in" check. If the request was made with a JWT authentication token, then this call will return TRUE, otherwise false. In other words, is_user_logged_in validates the token via the JWT plugin. Is that assumption correct?

flolege commented 5 years ago

Follow up: Just tried it, it did not work. is_user_logged_in permission_callback always returns false, even when I send the request with a valid token in the auth header.

Still in need for any further hints please.

mvpguy commented 5 years ago

I think the plugin only protects endpoints that start with the namespace - 'jwt-auth/v1'. So you would have to make any custom endpoints use that namespace - 'jwt-auth/v1/user/register'

flolege commented 5 years ago

Yes I solved it. The documentation is in my opinion misleading. Only /jwt-auth/v1 endpoints are protected and work like expected. User gets automatically logged in and can be checked via is_user_logged_in().

But one could just create your custom endpoints in the /jwt-auth/v1 namespace, e.g.:

  register_rest_route('/jwt-auth/v1', 'profile', array(
    'methods' => 'POST',
    'callback' => 'wc_rest_get_profile_handler',
    'permission_callback' => function($request){      
      return is_user_logged_in();
    }
  ));