search

jonathan-dejong / simple-jwt-authentication

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
GNU General Public License v3.0
87 stars 25 forks source link

Don't expose SIMPLE_JWT_AUTHENTICATION_SECRET_KEY #31

Closed kasparsd closed 5 years ago

kasparsd commented 6 years ago

Per docs:

This secret key must be unique and never revealed.

Per Use JWT The Right Way:

The secret signing key should only be accessible by the issuer and the consumer; it should not be accessible outside of these two parties.

However, currently the secret is revealed in the plugin settings to all users with the manage_options capability. Could we make this field write only so that users who don't want to set the SIMPLE_JWT_AUTHENTICATION_SECRET_KEY constant can still add the key but never see it?

jonathan-dejong commented 5 years ago

Hi @kasparsd

Good point! It should be changed to an input type password field :)

I'll look into it as soon as I can find the time. Or if you prefer to make a PR that is more than welcome!

jonathan-dejong commented 5 years ago

Coming in 1.4 soon!