nicumicle / simple-jwt-login

This plugin allows you to log in, register, authenticate, delete and change the user password to a WordPress website using a JWT.

http://wordpress.org/plugins/simple-jwt-login/

GNU General Public License v3.0

82 stars 22 forks source link

bug: When middleware enabled, user is still authenticated after JWT has been revoked #110

Closed jonathanrich1986 closed 4 months ago

jonathanrich1986 commented 4 months ago

Bug Report

Plugin Version

3.5.5

PHP Version

8.1.23

WordPress Version

6.5.3

Bug description

I have the setting "All WordPress endpoints checks for JWT authentication" enabled. However when I revoke a JWT, the user is still getting set as the current user for a request. I have checked that the token is definitely revoked using the validate endpoint. I would expect the response to return 401 if the token has been revoked.

nicumicle commented 4 months ago

Hi @jonathanrich1986 ,

Thanks for reporting this bug.

The issue is fixed now. You can download the plugin with the fix from https://simplejwtlogin.com.

I will do a release soon to include this change. :rocket:

Best Regards, Nicu.

jonathanrich1986 commented 4 months ago

@nicumicle Thanks this works now