Closed gordielachance closed 5 years ago
Well.. no. Because then there would not be an authentication. It'd basically be an open door for anyone to authenticate against any user as long as they know their user ID. I'm pretty sure the plugin would never pass an inspection from the WP Plugin repo team 😅
The proper way to handle that would probably be for the plugin to request the user to authenticate themselves through a login form and send the credentials to the /token endpoint to get the token for later use.
Okay, I get it.
But maybe you can help me solve this problem:
Actually, I need to use Postman to generate a token.
But it's not very user friendly, and I want my users to be able to get their token easily.
I need something simple, like showing the user token on its profile page.
How would you handle this ?
For security I would probably add a custom "generate your API token" form on their profile page. In which they add their username and password (same as login form) but you're posting it to the /token endpoint of JWT which will return the token for you. Then you can show them their token (if you're talking about something like a frontend profile page which I'm guessing).
I guess it may be possible to hook into the wp login process directly and highjack the username + password from there and perform a /token request right away on login but I'm not sure. It would also be a little less secure since you might not be hooking in after they've been confirmed as users etc.
Is it possible to generate a token by user ID rather than by username+password ? Would be useful to generate tokens from a plugin, for instance; without knowing the username & password. Thanks !!!