pesseba
commented
3 years ago This feature already exists. If user update the password the token became invalid.
Open ExoGeek opened 4 years ago
pesseba
commented
3 years ago This feature already exists. If user update the password the token became invalid.
lstoyanoff
commented
3 years ago @pesseba Are you sure about that? I've tried resetting the password and the token remains valid. I've also checked the code and didn't found anything in the token validation function regarding the user password, only a check if an user ID is presented
https://github.com/Tmeister/wp-api-jwt-auth/blob/develop/public/class-jwt-auth-public.php#L287-L297
pesseba
commented
3 years ago Sorry @lstoyanoff I made a mistake. This feature is implemented in another plugin, that was based in this. Look here: https://github.com/usefulteam/jwt-auth
hayhurst
commented
3 years ago Doesn't seem like that plugin does this either? Done some testing locally and after resetting the user's password, the original token remains valid
pesseba
commented
3 years ago The reset action happens over the hooks 'profile_update' or 'after_password_reset'. If you changed the password manually, just call one of these actions, like this:
do_action('after_password_reset', { the user id you are changing }, 'the new password');
Make sure you are using the other plugin: https://github.com/usefulteam/jwt-auth
hayhurst
commented
3 years ago Right okay so - worked it out.
The version of that plugin repo in the Wordpress directory (https://wordpress.org/plugins/jwt-auth/) doesn't include those features (it's a few months out of date).
So what I needed to do was grab the latest files from the GitHub repo (https://github.com/usefulteam/jwt-auth) - run composer install, then manually upload those files to the WordPress server.
Little bit round about, but now it's working as intended - aka tokens expiring after a password reset.
Thank you! Hopefully my findings help anyone else that's confused about this.
Hello,
When a user generates a token, that token has a validity period. If during that period, the user is hacked (his token is stolen by a hacker), there's no way to invalidate all previous token generated by the user => the hacker can do whatever he wants on behalf of the hacked user.
Can I suggest 2 possible solutions :
1) When generating a new token, you also include the hash of the current user password. In that way, if user is hacked, he only has to modify his password to invalidate all previous token.
2) You add into the database a random (different) key for each user. When you generate a new token, you include that key (or the hash of that key) into the token. Then, to invalidate all token of the user, we only need to modifiy that key (stored in the database).
Regards,