search

alleyinteractive / wp-rest-api-guard

Restrict and control access to the REST API
https://wordpress.org/plugins/rest-api-guard/
GNU General Public License v2.0
11 stars 1 forks source link

JWT decoding failed: Algorithm not allowed #23

Closed danieleperilli closed 2 months ago

danieleperilli commented 5 months ago

Description of the bug

After generating a token and verified that it was passed to REST API calls, any call returns "Error authentication with token: Algorithm not allowed". I verified the token with https://jwt.io/ and everything is correct (and the signature is verified). After analyzing your code, I changed this part:

$decoded = JWT::decode( substr( $jwt, 7 ), new Key( get_jwt_secret(), 'HS256' ) );

to: $decoded = JWT::decode( substr( $jwt, 7 ), get_jwt_secret(), ['HS256'] );

and it started working. Is this a known error or my misconfiguration somewhere? Thanks!

Steps To Reproduce

  1. Generate a token
  2. Make any call

Additional Information

No response

srtfisher commented 2 months ago

In the underlying library firebase/jwt the second argument be an instance of Key: https://github.com/firebase/php-jwt/blob/main/src/JWT.php#L98. It shouldn't be able to accept a string which is what get_jwt_secret() returns.

danieleperilli commented 2 months ago

Yes, it was because I had a previous version of firebase/jwt used by another plugin. Thanks!