Password sent in new implementation

[virajsoni06]

Hi, there's a pass key which is sent in /validate response. Is this the user's password? Shouldn't it be removed?

[virajsoni06]

Actually the pass key seems to be important. token validation fails if it isn't present in the token. Having said that, there's another major issue it seems. When a new user is created and they login the first time the pass key is null which doesn't validate. Any subsequent token creation and validation works fine. Seems odd

[pesseba]

Hi @virajsoni06 the pass is used to revoke token when users update their password. It is not the password itself, but a hash to identify the current password change. I will push a fix adding the same behaviour when user is registred.

[pesseba]

Check my commit @virajsoni06: https://github.com/usefulteam/jwt-auth/commit/f0a0b4d43a6d30bbf9e397321cf476c4d0017d1e I tested here and it works fine.

[virajsoni06]

@pesseba Thanks for looking into this. Will give it a go and test it out. Btw, when will the update be released on WP's plugin repository?

[pesseba]

Hi @virajsoni06 I have no access to deploy it in WP plugin repository. Just @contactjavas has this access. Please, confirm if this solve this other problem too: https://github.com/usefulteam/jwt-auth/issues/38

[contactjavas]

Hi @pesseba & @virajsoni06 , I'll push an update if this is solved/confirmed. Thanks for your effort :)

Question: is it ok/ not confusing to just keep the pass property name in the response?

[virajsoni06]

Please, confirm if this solve this other problem too: #38

@pesseba unfortunately it doesn't. Will verify it once more via wp repository tomorrow

[pesseba]

Question: is it ok/ not confusing to just keep the pass property name in the response?

Hi @contactjavas, the 'pass' is just meta_data for internal control to revoke tokens when user password is updated. It is used in jwt token creation to validade tokens and isn't necessary in response.

@virajsoni06 maybe it was a bug with new refresh token feature.

[pesseba]

@pesseba unfortunately it doesn't. Will verify it once more via wp repository tomorrow

Hi @virajsoni06. Could you describe step by step to get this bug?

[holygekko]

I'm having the same problem :( It's fixed when reverting back 1.4.2

I call my own api to create a new user via wp_create_user($username, $password, $email) I do a post request to wp-json/jwt-auth/v1/token with { username, password } to get a token I take the data.token from the response I call my own api e.g. wp-json/pdjnu/v1/settings with a request header authorization: Bearer data.token I get a 403 response jwt_auth_obsolete_token - Token is obsolete

I refresh (empty state) and use the login flow of my app post request to wp-json/jwt-auth/v1/token with { username, password } to get a token I call my own api e.g. wp-json/pdjnu/v1/settings with a request header authorization: Bearer data.token this time everything is okay and I get the response I expect.

Again reverting back to the version 1.4.2 (from wp plugin archive bottom of the page) fixes the problem.

[pesseba]

I call my own api to create a new user via wp_create_user($username, $password, $email)

Hi @holygekko wp_create_user doesn't call user_register action. Try to call this action after user creation, to reproduce the wordpress default behaviour. But the token generation should create the $pass value if it doesn't exist yet. I will test it better...

[pesseba]

Hello @holygekko I created a test based on your steps, and the token returns valid for me... Check if the code bellow is similar your implementation:

// Add the test request in whitelist
add_filter('jwt_auth_whitelist', function ( $endpoints ) {
    array_push($endpoints,'/wp-json/test/v1/createuser');
    return $endpoints;
}); 

//...

register_rest_route('test/v1', 'createuser', array(
    array(
            'methods' => 'GET',
            'callback' => function($request){

                $username = 'auth_'.(string) md5( uniqid( wp_rand(), true ));
                $email = $username.'@auth.com.br';
                $user_id = wp_create_user($username, 'senha@senha', $email);

                $r = new WP_REST_Request( 'POST', '/jwt-auth/v1/token');
                $paramemters = array(
                    'username'=>$username,
                    'password'=>'senha@senha',
                );
                $r->set_body_params($paramemters);
                $response = rest_do_request( $r );

                $token = 'Bearer '.$response->data['data']['token'];

                $r = new WP_REST_Request( 'POST', '/jwt-auth/v1/token/validate');
                $_SERVER['HTTP_AUTHORIZATION'] = $token;
                $response = rest_do_request( $r );

                return $response;
            },                  
        ),              
    )
);

[holygekko]

This is similar to my code. I copied your code above and tried it in my project. It didn't work.

So just to be sure I:

• created an empty wordpress install (locally) via Flywheel Local,
• added the JWT-auth plugin via the wp plugin repository,
• configured the secret key in wp-config,
• and added your code in a plugin

But it still didn't work for me unfortunately. If I install the 1.4.2 version it does work.

I can send you a Duplicator archive of this installation if you want?

[pesseba]

Hi @rhurling I tested it in another environment and got the same error than you... I found the problem and could solve it. The refresh_pass function was wrong. I fixed it in my last commit and did other improvements suggested in code comments.

[holygekko]

Yes! It's working now :) Thank you!