Tmeister / wp-api-jwt-auth

A simple plugin to add JSON Web Token (JWT) Authentication to WP REST API
GNU General Public License v2.0
560 stars 161 forks source link

Ability to invalidate all previous generated user token #204

Open ExoGeek opened 4 years ago

ExoGeek commented 4 years ago

Hello,

When a user generates a token, that token has a validity period. If during that period, the user is hacked (his token is stolen by a hacker), there's no way to invalidate all previous token generated by the user => the hacker can do whatever he wants on behalf of the hacked user.

Can I suggest 2 possible solutions :

1) When generating a new token, you also include the hash of the current user password. In that way, if user is hacked, he only has to modify his password to invalidate all previous token.

2) You add into the database a random (different) key for each user. When you generate a new token, you include that key (or the hash of that key) into the token. Then, to invalidate all token of the user, we only need to modifiy that key (stored in the database).

Regards,

pesseba commented 3 years ago

This feature already exists. If user update the password the token became invalid.

lstoyanoff commented 3 years ago

@pesseba Are you sure about that? I've tried resetting the password and the token remains valid. I've also checked the code and didn't found anything in the token validation function regarding the user password, only a check if an user ID is presented

https://github.com/Tmeister/wp-api-jwt-auth/blob/develop/public/class-jwt-auth-public.php#L287-L297

pesseba commented 3 years ago

Sorry @lstoyanoff I made a mistake. This feature is implemented in another plugin, that was based in this. Look here: https://github.com/usefulteam/jwt-auth

hayhurst commented 3 years ago

Doesn't seem like that plugin does this either? Done some testing locally and after resetting the user's password, the original token remains valid

pesseba commented 3 years ago

The reset action happens over the hooks 'profile_update' or 'after_password_reset'. If you changed the password manually, just call one of these actions, like this:

do_action('after_password_reset', { the user id you are changing }, 'the new password');

Make sure you are using the other plugin: https://github.com/usefulteam/jwt-auth

hayhurst commented 3 years ago

Right okay so - worked it out.

The version of that plugin repo in the Wordpress directory (https://wordpress.org/plugins/jwt-auth/) doesn't include those features (it's a few months out of date).

So what I needed to do was grab the latest files from the GitHub repo (https://github.com/usefulteam/jwt-auth) - run composer install, then manually upload those files to the WordPress server.

Little bit round about, but now it's working as intended - aka tokens expiring after a password reset.

Thank you! Hopefully my findings help anyone else that's confused about this.