Open ZaneCEO opened 9 months ago
Due to stringent business requirements, the whole WordPress instance is protected by HTTP basic authentication on Nginx:
auth_basic "Restricted access | VHOST HTTP AUTH"; auth_basic_user_file /var/.../httpauth;
This conflicts with the module, since both Nginx and JWT expect an Authorization header:
Authorization
authorization: Basic xxxx
authorization: Bearer yyy
I tried to use both the HTTP basic credentials AND the Bearer:
curl -I -v --USER "<nginx-name>:<nginx-pass>" 'https://<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'
or
curl -I -v 'https://<nginx-name>:<nginx-pass>@<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'
Both hit a 403 because the Bearer gets priority over HTTP basic credentials, so the request cannot authenticate and Nginx stop it immediately.
As a workaround, I disabled the HTTP basic auth when the request originates from a know origin:
satisfy any; ## skip auth from loopback allow 127.0.0.1; ## skip auth from LAN allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; .... ## Auth auth_basic "Restricted access | VHOST HTTP AUTH"; auth_basic_user_file /var/.../httpauth;
Another idea ( https://stackoverflow.com/a/50971162/1204976 ) would be to pass the token with a different parameter and re-map it via php-fpm:
proxy_set_header Authorization $http_x_api_token;
But, again, I would really like to skip any of this.
Have a look at how WooCommerce uses specialized header: https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication. The module could read the token from a different header first (x-api-jwt-token: xxxx, for example) , then switch to the current behavior if it's not set.
x-api-jwt-token: xxxx
Prerequisites
Issue
Due to stringent business requirements, the whole WordPress instance is protected by HTTP basic authentication on Nginx:
This conflicts with the module, since both Nginx and JWT expect an
Authorization
header:authorization: Basic xxxx
authorization: Bearer yyy
I tried to use both the HTTP basic credentials AND the Bearer:
or
Both hit a 403 because the Bearer gets priority over HTTP basic credentials, so the request cannot authenticate and Nginx stop it immediately.
Workaround
As a workaround, I disabled the HTTP basic auth when the request originates from a know origin:
Another idea ( https://stackoverflow.com/a/50971162/1204976 ) would be to pass the token with a different parameter and re-map it via php-fpm:
But, again, I would really like to skip any of this.
Suggested action
Have a look at how WooCommerce uses specialized header: https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication. The module could read the token from a different header first (
x-api-jwt-token: xxxx
, for example) , then switch to the current behavior if it's not set.