search

usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
122 stars 48 forks source link

Wrong HTTP Code when no Authorization header is passed #67

Closed GaetanOclock closed 2 years ago

GaetanOclock commented 2 years ago

Current behavior : When using a protected route, if no Authorization header is passed, we get a success response with code 200 with an error body : 

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_no_auth_header",
    "message": "Authorization header not found.",
    "data": []
}

Expected behavior : When using a protected route, if no Authorization header is passed, we should get an error with a 403 HTTP Status code.

Fix : Use the second constructor argument when instanciating WP_REST_Response() in class-auth.php at line 293 to send an actual 403 Response.

if ( ! $auth ) {
    return new WP_REST_Response(
        array(
            'success'    => false,
            'statusCode' => 403,
            'code'       => 'jwt_auth_no_auth_header',
            'message'    => $this->messages['jwt_auth_no_auth_header'],
            'data'       => array(),
        ),
        403 // add the actual status code here
    );
}
GaetanOclock commented 2 years ago

Actually this issue seems fixed in the Github current version (with a code 401 though, which seems strange to me), but not in the version i got when downloading the plugin with Composer from wpackagist :thinking: Both sources are tagged with 2.1.0 version.