Refresh token with valid token returns "rest_no_route."

[oivinds]

http://localhost/wp-json/jwt-auth/v1/token with form data

To check that the token is valid I do: GET http://localhost/wp-json/wp/v2/users/me with authorization bearer. I get "status 200 ok"

I'm then storing the token returned in a cookie.

refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE2NTc0NTQyODgsIm5iZiI6MTY1NzQ1NDI4OCwiZXhwIjoxNjU3NDU1NjA4LCJkYXRhIjp7InVzZXIiOnsiaWQiOjUzLCJkZXZpY2UiOiIiLCJwYXNzIjoiMTFmYTM1ZTQyNjdhMzJkOWZhN2M5NWQ0ZTg1MDlkN2QifX19.EZk0uE52K2WDYp5cIVWYk4LUyMQr4MQDvsvkUnUWzrg; Path=/; Expires=Mon, 10 Jul 2023 11:23:24 GMT;

Then I am trying POST http://localhost/wp-json/jwt-auth/v1/token/refresh

{ "code": "rest_no_route", "message": "No route was found matching the URL and request method", "data": { "status": 404 } }

[jakub-sekula]

I don't think this plugin has refresh tokens implemented

[dominic-ks]

@oivinds @jakub-sekula The refresh route is registered here - https://github.com/usefulteam/jwt-auth/blob/master/class-auth.php#L87 - along with the others

Are you sure you have the latest version?

[sun]

@oivinds Do you maybe have caching plugins or caching backends enabled that need flushing? Or maybe your PHP opcache does not invalidate files and needs a restart?

[dominic-ks]

@sun @oivinds The other thing that has become apparent is that the version on wp.org (2.1.0) is behind the latest master on GitHub (3.0.1) and refresh tokens were implemented in 3.0.0.

In order to get the plugin live again on wp.org again I've prepared a version 2.1.1 with the firebase update. I'm going to submit this to wp.org today and then I'll look into adding some notices to warn people of the upcoming update to V3+ which will include the refresh tokens.

Main thought here being that people using the version from wp.org will currently have JWTs with a life of 15 days and the refresh token update will knock that down to 10mins unless they take action or update to use refresh tokens.

[LorenzoInvernizzi]

Good Morning,

I just installed the latest version from wp.org (2.1.3) and the refresh endpoint seems to be still missing (also the documentation is an old version). Do you know how can i use the latest version?

[dominic-ks]

Hello @LorenzoInvernizzi,

Yes, the wp.org version is still behind the latest master on GH. You can clone the latest with the refresh functionality from here.

[LorenzoInvernizzi]

Perfect thanks. Now it works but i dont understand the usage, i read the documentation but my doubts are:

1. once i hit the token/refresh endpoitn with the refresh_token in request cookies, i dont get any new bearer token in response, but only:

   { "success": true, "statusCode": 200, "code": "jwt_auth_valid_token", "message": "Token is valid" }

   Does it mean i can continue to use the already bearer token and replace the old refresh_token with the new one got as response or am i missing something? 10minutes are passes from when i did login and generated the bearer token.

2. when calling the token/refresh api, should i pass the bearer token or not? i.e. should i whitelist the endpoint or no?

Thanks

[dominic-ks]

There is no whitelisting in the latest version of the plugin, it allows permissions for requests to fall back to the callback where the request is registered.

The flow for the refresh tokens is:

• Send a request to /token with username and password to get a JWT access token and refresh cookie
• Sent requests to any endpoints including /validate with JWT as bearer token
• If JWT is expired, send a request to /token with refresh cookie (no username & password required) to get a new JWT
• If refresh token is expired, send refresh cookie to /refresh to get a new refresh cookie

[sun]

Thanks! 👌 I added that to the Wiki: https://github.com/usefulteam/jwt-auth/wiki#how-does-the-jwt-flow-with-refresh-tokens-work-overall

[s72817]

When I install latest version of this repo, I receive error message, plugin cannot be activated, because of critical error. I use the newest version of wordpress.

Warning: require(/home/.../mywebsite.de/wp-content/plugins/jwt-auth-master/vendor/autoload.php): failed to open stream: No such file or directory in /home/.../mywebsite.de/wp-content/plugins/jwt-auth-master/jwt-auth.php on line 25

[Tragio]

@sun @s72817 @dominic-ks I'm having the same problem. The WordPress.org plugin version is 2.1.3 and installing the last from the repo (3.0.1) gives the same critical error on activation. With the WordPress.org plugin version, I can't seem to have the refresh token working. 😞

Fatal error: Uncaught Error: Failed opening required '/home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/vendor/autoload.php' (include_path='.:') in /home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/jwt-auth.php:25 Stack trace: #0 /home/xxx/webapps/yyy-API/wp-admin/includes/plugin.php(2314): include_once() #1 /home/xxx/webapps/yyy-API/wp-admin/plugins.php(192): plugin_sandbox_scrape() #2 {main} thrown in /home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/jwt-auth.php on line 25

[sun]

@Tragio When installing from source, you need to install dependencies using Composer. I just documented installation instructions here: https://github.com/usefulteam/jwt-auth/wiki#how-to-install-the-jwt-auth-plugin-development-version-from-github