Securing Custom Routes

[megphillips91]

I have a new custom route which I created via register custom route which I need to secure. If I provide a validate callback which returns true always and forever, the call will succeed without a header sent. If I send an Authorization with valid token, it always fails.

{ "code": "jwt_auth_invalid_token", "message": "Signature verification failed", "data": { "status": 403 } }

====> here is the register rest route register_rest_route( 'parent-checklist-rest/v2', '/registration', array( 'methods' => 'GET, POST', 'callback' => __NAMESPACE__.'\\register_user', 'validate_callback'=> __NAMESPACE__.'\\check_JWT', ) );

====> validation callback `function check_JWT(\WP_REST_Request $request){ //$header = $request->get_header('Authorization'); return TRUE; //$response = wp_remote_post($header)

}`

Expected Behavior ==>

• send valid token in Authorization Header
• retrieve token in my validation callback
• post token to /wp-json/simple-jwt-authentication/v1/token/validate
• allow the call if token is valid
• call fails is no auth header is sent
• call fails if token is invalid

Actual Behavior ==>

• the call fails even with valid token
• the call succeeds as long as no Authorization Header is provided
• seems my validate callback is not in play

[megphillips91]

Workaround ==> If you register your route with no validate_callback specified, then you can add a validation hook which produces the expected behavior before you "do business" on the call. I see this more as a hack than a proper way to solve the problem. It may be a hack that works, but still hackey. So if someone has managed to produce the expected behavior, please post here. I can add to the documentation and submit a pull request for others using the plugin.

function register_user(\WP_REST_Request $request){ if( !check_JWT($request->bearer) ) { $response = array( 'response'=> 'bad token' ); return ($response); } else { //do business here }

[jonathan-dejong]

Hmmm does it work with WPs other default endpoints? Just to rule out an issue with the key you've set.

this error is thrown by the firebase jwt-php library the plugin uses and I think it could generally backfire due to certificate changes.

[pentatonicfunk]

As far as i understand validate_callback is for REST arguments/params. for the endpoint it self, i think permission_callback is the one that supposed to do that

[megphillips91]

Honestly, I never got back around to this the proper way and wrote a "workaround" custom authentication method which essentially just ensures the calls are coming from my app to the WP installation. I need a better solution and will get back around to it when reasonable for business.

thanks,