search

usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
122 stars 48 forks source link

Compatible with Basic Authentication #25

Open baochungit opened 3 years ago

baochungit commented 3 years ago

When enabled, I see if the request header come with Basic Authorization (WC using it), the plugin throw an error jwt_auth_bad_auth_header. Could we make it no error so that other plugins can work with other authentications?

Throwing jwt_auth_no_auth_header in this case is a good idea?

stevapple commented 2 years ago

Met the same problem. There should be a way to support Basic Authentication, instead of letting jwt-auth totally shadow it.

pesseba commented 2 years ago

There is a workarround for this situation. You can use the filter jwt_auth_authorization_header to change the header key used for the plugin. So, insted Authentication you must setup something like JWTAuthentication in .htaccess settings, as folllow:

RewriteEngine on
RewriteCond %{HTTP:JWTAuthorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_JWT_AUTHORIZATION:%1]

and in your custom wp plugin or functions:

add_filter( 'jwt_auth_authorization_header', function($headerkey){
        return 'HTTP_JWT_AUTHORIZATION';
} );
fabiangigler commented 2 years ago

@pesseba Just wanted to let you, and future people coming across this issue know, that this ONLY works from within a feature plugin, and does not change anything when used from the theme's functions.php.

I'm assuming it has to do with the order WordPress loads theme and plugin code?

pesseba commented 2 years ago

@fabiangigler yes. Theme is loaded only in front-end requests. Rest API requests has no front-end dependency. So, you must add this filters in some plugin.

kheftel commented 2 years ago

There is a workarround for this situation. You can use the filter jwt_auth_authorization_header to change the header key used for the plugin. So, insted Authentication you must setup something like JWTAuthentication in .htaccess settings, as folllow:

RewriteEngine on
RewriteCond %{HTTP:JWTAuthorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_JWT_AUTHORIZATION:%1]

and in your custom wp plugin or functions:

add_filter( 'jwt_auth_authorization_header', function($headerkey){
        return 'HTTP_JWT_AUTHORIZATION';
} );

this worked for me on an apache server that's stripping authorization headers. Just wanted to add that the format for sending the header is Jwt-Authorization: Bearer TOKENVALUE, it took me a minute to figure out the naming convention.