Is there a way to validate a user’s password encoded on the JWT for validate and autologin routes?
When it creates a new JWT token using the auth route with email and password, it validates the credentials by checking that the provided password is the same as the one on the WP database.
But, for validate and autologin routes, it does not check the user's password encoded on the token. So, we can create a JWT token with an online tool providing only the email and a wrong/empty password and use that token to login.
Is there any setting to always check the user's password encoded on the JWT?
Bug Description
Is there a way to validate a user’s password encoded on the JWT for
validate
andautologin
routes?When it creates a new JWT token using the
auth
route with email and password, it validates the credentials by checking that the provided password is the same as the one on the WP database.But, for
validate
andautologin
routes, it does not check the user's password encoded on the token. So, we can create a JWT token with an online tool providing only the email and a wrong/empty password and use that token to login.Is there any setting to always check the user's password encoded on the JWT?
Environment