search

nicumicle / simple-jwt-login

This plugin allows you to log in, register, authenticate, delete and change the user password to a WordPress website using a JWT.
http://wordpress.org/plugins/simple-jwt-login/
GNU General Public License v3.0
80 stars 21 forks source link

validate and autologin routes do not check user's password encoded on JWT. #8

Closed nmenescardi closed 2 years ago

nmenescardi commented 3 years ago

Bug Description

Is there a way to validate a user’s password encoded on the JWT for validate and autologin routes?

When it creates a new JWT token using the auth route with email and password, it validates the credentials by checking that the provided password is the same as the one on the WP database. image

But, for validate and autologin routes, it does not check the user's password encoded on the token. So, we can create a JWT token with an online tool providing only the email and a wrong/empty password and use that token to login.

Is there any setting to always check the user's password encoded on the JWT?

Environment

Question Answer
PHP version 7.4
WordPress version 5.8.1
Simple-JWT-Login plugin version 3.1.0
nicumicle commented 2 years ago

Hello @nmenescardi,

Now you can use the hashed password in order to get a JWT on the authentication endpoint.

image

Just send the password_hash instead of the password parameter.

Best regards, Nicu.