search

jonathan-dejong / simple-jwt-authentication

Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
GNU General Public License v3.0
87 stars 25 forks source link

Bypass token #4

Closed tribalboy3000 closed 5 years ago

tribalboy3000 commented 7 years ago

I tried the resetpassword endpoint and still get:

{"code":"jwt_auth_invalid_token","message":"Wrong number of segments","data":{"status":403}}

I think this is only if I'm logged in correct? I have a 'forgot pwd' endpoint where it sends an email to the email added by the user(temporary rest link), same as wordpress. Since they forgot their pwd they are not currently logged in, is there a way to bypass the token check?

My endpoint still gets: {"code":"jwt_auth_invalid_token","message":"Wrong number of segments","data":{"status":403}}

jonathan-dejong commented 7 years ago

Hi,

If you use the resetpassword endpoint you should only send a username or email with the POST. This endpoint does not check for valid token. All it does is send out the reset password email. https://github.com/jonathan-dejong/simple-jwt-authentication/blob/master/includes/class-simple-jwt-authentication-rest.php#L408

So it's not possible you're getting that return message from that endpoint :)

tribalboy3000 commented 7 years ago

Ok I think I figured it out: I was passing Authorization: Bearer null <- this was causing the issue. However the email link is not correct, I had the same issue (used the same code) but fixed it with this:

replaced this: $key = $wpdb->get_var( $wpdb->prepare( "SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login ) ); if ( empty( $key ) ) { // Generate something random for a key... $key = wp_generate_password( 20, false ); do_action( 'retrieve_password_key', $user_login, $key ); // Now insert the new md5 key into the db $wpdb->update( $wpdb->users, array( 'user_activation_key' => $key, ), array( 'user_login' => $user_login, ) ); }

image

With this: ` $key = wp_generate_password( 20, false ); do_action( 'retrieve_password_key', $user_login, $key );

        if ( empty( $wp_hasher ) ) {
            require_once ABSPATH . 'wp-includes/class-phpass.php';
            $wp_hasher = new PasswordHash( 8, true );
        }

        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
        $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );`

image

With this new code you should see the proper reset page

jonathan-dejong commented 7 years ago

I'll look into it in the next few days unless you want to do a working PR.

Glad you worked out the issue :)

jonathan-dejong commented 7 years ago

Hi,

I've attempted to solve this but your provided code does not work. I suspect you've done more changes :)

Could you make a PR or provide the file in its entirety ?