vella-nicholas
commented
5 years ago There is a bug in the system.
Closed marioshtika closed 1 year ago
vella-nicholas
commented
5 years ago There is a bug in the system.
hartantothio
commented
5 years ago 
tfmertz
commented
4 years ago Yeah unfortunately, it looks like this isn't being addressed. Currently, in the code if there's not an auth header passed, then the route is allowed. It's a pretty glaring security bug to allow the client to determine if it wants to authenticate or not. I adapted the solution from #169 a bit to allow some routes that are protected and others that aren't:
// Replace lines 202 to 210 in plugins/jwt-authentication-for-wp-rest-api/public/class-jwt-auth-public.php with
$is_protected = strpos($_SERVER['REQUEST_URI'], 'protected');
if (is_wp_error($token) && $is_protected !== FALSE) {
$this->jwt_error = $token;
return $user;
}Then inside your rest routes you can define a "protected" route that will require an auth header, otherwise all of your other routes would be public and not require an auth validation.
register_rest_route(
'protected', '/test',
array(
'methods' => 'GET',
'callback' => 'test',
)
);It's not the greatest, and you might have to tweak it a bit to get what you need, if you have different auth requirements (protecting existing plugin routes). Good luck.
This plugin does what I need, but I don't know how to make Authentication header obligatory.
Authorization = Bearer {{token}}on a request, that request is being validated successfullySignature verification failedas it is supposed to.But when I make a call request without the Authentication header it is still returning me all the response and I want it to return me an error message that it will inform me that the
Token is missingAm I doing something wrong? Is there a configuration for that? Or is there some workaround to achieve that?
Thank you in advance.