If user deleted in wordpress, need to invalid/expire token/ user not exist response

Tmeister / wp-api-jwt-auth

A simple plugin to add JSON Web Token (JWT) Authentication to WP REST API

GNU General Public License v2.0

558 stars 161 forks source link

If user deleted in wordpress, need to invalid/expire token/ user not exist response #305

Open vinaye42 opened 5 months ago

vinaye42 commented 5 months ago

we got a report of a critical security issue in your plugin. If the user is deleted in wordpress, but the session in the app is still active,

You have to check in validate token if user exist or not like below image

user-exists

/** check user exist or not */
if( isset($token->data->user->id) ) {
    $user = get_userdata($token->data->user->id);

    if ( ! $user ) {
        return new WP_Error(
            'jwt_auth_bad_request',
            'User not found',
            [
                'status' => 403,
            ]
        );
    }
}

vinaye42 commented 5 months ago

hi @Tmeister, Plz check the above issue