Authorization Header conflicts with protected sites

[pesseba]

Hi, the HTTP_AUTHORIZATION header can conflict with page protection header parameter, like in WPEngine hosting, per example. This kind of page protection is usefull for sites under construction, staging and development environments with no external access. Please, could you create a filter to change the header key used. Something like this:

$headerkey = apply_filters('jwt_auth_authorization_header', 'HTTP_AUTHORIZATION'); $auth = isset( $_SERVER[$headerkey] ) ? $_SERVER[$headerkey] : false;

[pesseba]

I created a fork whith this implementation and a pull request: And a pull request: https://github.com/usefulteam/jwt-auth/pull/10

[contactjavas]

Hi @pesseba , that PR was already merged few months ago. Is this issue still valid? I want to close this, if this is not an issue anymore :)

[hayhurst]

Looks like it all works fine when it comes to changing the auth header variable name - I've just used this in a project on Kinsta with a staging website (example below)

add_filter(
    'jwt_auth_authorization_header',
    function ( $header ) {

        return 'HTTP_DIFFERENTTOKEN;
    },
    10,
    1
);

But I'm running into a problem now with actually getting an auth token in the first place...

If I send through the following curl request (yes, the username + password in the form data are valid...)

curl --location --request POST '{{DOMAIN}}/wp-json/jwt-auth/v1/token' \
--header 'Authorization: Basic {{HTTP AUTH TOKEN}}' \
--header 'Cookie: PPM_GE_COHORT=A' \
--form 'username="username"' \
--form 'password="password"'

I end up with an invalid username error.

{
    "code": "invalid_username",
    "message": "Unknown username. Check again or try your email address.",
    "data": null
}

Presumably it's trying to use the username/password from the basic auth instead of the form data - as when I create a wordpress user with the username+password the same as the HTTP auth, the request starts to work...

[pesseba]

If I understood well, you are trying to get a token with username and password, but you are sending the Authorization header too. Try to remove Authorization header in this call. The jwt-auth/v1/token call requires only two body parameters (username and password).

[hayhurst]

Ah but if I do this then the staging site nginx auth takes over and gives me a 401 Authorization Required

[pesseba]

I understood now. I work in this same way in staging environment and this problem not happen with me.

[hayhurst]

Are you using .htpasswd style authentication?