Open megphillips91 opened 4 years ago
Workaround ==> If you register your route with no validate_callback specified, then you can add a validation hook which produces the expected behavior before you "do business" on the call. I see this more as a hack than a proper way to solve the problem. It may be a hack that works, but still hackey. So if someone has managed to produce the expected behavior, please post here. I can add to the documentation and submit a pull request for others using the plugin.
function register_user(\WP_REST_Request $request){ if( !check_JWT($request->bearer) ) { $response = array( 'response'=> 'bad token' ); return ($response); } else { //do business here }
Hmmm does it work with WPs other default endpoints? Just to rule out an issue with the key you've set.
this error is thrown by the firebase jwt-php library the plugin uses and I think it could generally backfire due to certificate changes.
As far as i understand validate_callback
is for REST arguments/params. for the endpoint it self, i think permission_callback
is the one that supposed to do that
Honestly, I never got back around to this the proper way and wrote a "workaround" custom authentication method which essentially just ensures the calls are coming from my app to the WP installation. I need a better solution and will get back around to it when reasonable for business.
thanks,
I have a new custom route which I created via register custom route which I need to secure. If I provide a validate callback which returns true always and forever, the call will succeed without a header sent. If I send an Authorization with valid token, it always fails.
{ "code": "jwt_auth_invalid_token", "message": "Signature verification failed", "data": { "status": 403 } }
====> here is the register rest route
register_rest_route( 'parent-checklist-rest/v2', '/registration', array( 'methods' => 'GET, POST', 'callback' => __NAMESPACE__.'\\register_user', 'validate_callback'=> __NAMESPACE__.'\\check_JWT', ) );
====> validation callback `function check_JWT(\WP_REST_Request $request){ //$header = $request->get_header('Authorization'); return TRUE; //$response = wp_remote_post($header)
}`
Expected Behavior ==>
Actual Behavior ==>