search

Tmeister / wp-api-jwt-auth

A simple plugin to add JSON Web Token (JWT) Authentication to WP REST API
GNU General Public License v2.0
546 stars 160 forks source link

Incompatible with HTTP basic authentication on Nginx #291

Open ZaneCEO opened 9 months ago

ZaneCEO commented 9 months ago

Prerequisites

Issue

Due to stringent business requirements, the whole WordPress instance is protected by HTTP basic authentication on Nginx:

auth_basic "Restricted access | VHOST HTTP AUTH";
auth_basic_user_file /var/.../httpauth;

This conflicts with the module, since both Nginx and JWT expect an Authorization header:

I tried to use both the HTTP basic credentials AND the Bearer:

curl -I -v --USER "<nginx-name>:<nginx-pass>" 'https://<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'

or

curl -I -v 'https://<nginx-name>:<nginx-pass>@<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'

Both hit a 403 because the Bearer gets priority over HTTP basic credentials, so the request cannot authenticate and Nginx stop it immediately.

Workaround

As a workaround, I disabled the HTTP basic auth when the request originates from a know origin:

satisfy any;

## skip auth from loopback
allow 127.0.0.1;

## skip auth from LAN
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;

....

## Auth
auth_basic "Restricted access | VHOST HTTP AUTH";
auth_basic_user_file /var/.../httpauth;

Another idea ( https://stackoverflow.com/a/50971162/1204976 ) would be to pass the token with a different parameter and re-map it via php-fpm:

proxy_set_header Authorization $http_x_api_token;

But, again, I would really like to skip any of this.

Suggested action

Have a look at how WooCommerce uses specialized header: https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication. The module could read the token from a different header first (x-api-jwt-token: xxxx, for example) , then switch to the current behavior if it's not set.