search

WP-API / jwt-auth

Enable JSON Web Token authentication for the WordPress REST API.
GNU General Public License v2.0
106 stars 25 forks source link

URGENT: Security hole #28

Closed andrewmclagan closed 4 years ago

andrewmclagan commented 4 years ago 
update_user_meta( $token->data->user->id, WP_REST_Key_Pair::_USERMETA_KEY_, array_values( $keypairs ) );

your storing unencrypted keys in the database.... very very bad idea.

TimothyBJacobs commented 4 years ago

Only the hashed form of the secret is stored.

https://github.com/WP-API/jwt-auth/blob/develop/wp-includes/rest-api/auth/class-wp-rest-key-pair.php#L502