search

usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
124 stars 50 forks source link

Updated firebase/jwt to 6.3. #76

Closed dominic-ks closed 2 years ago

dominic-ks commented 2 years ago

Updating firebase/php-jwt to 6.3 to address security issues in versions < 6.X. Small adjustment required to use the Firebase\JWT\Key class when decoding tokens.

dominic-ks commented 2 years ago

Hey @sun, had meant to say I'd had issues with the tests, because I'm using Docker and my container running tests can't access WP using localhost, anyway.

There is one test failing I think - RefreshTokenTest\testTokenRefreshWithInvalidRefreshToken - because sending a request to /token/refresh with the refresh token as a bearer in the auth header is expecting jwt_auth_no_auth_cookie but instead it gets jwt_auth_invalid_token.

I've just run this on the current master branch and get the same error. This is presumably because the plugin uses token/validate any time there is a token in the auth header?

I'd just propose that here we change the test to exclude the auth header if we want to test that the jwt_auth_no_auth_cookie is returned otherwise. If you agree I'll update that.

sun commented 2 years ago

I forgot to run composer update to get the new version of the library. Why is composer.lock not under version control?

With the updated library, all tests pass for me:

$ URL=http://jwt.local USERNAME=test PASSWORD=test composer run test
> ./vendor/bin/phpunit
PHPUnit 9.5.25

.............                                                     13 / 13 (100%)

Time: 00:33.838, Memory: 6.00 MB

OK (13 tests, 110 assertions)

FYI: You can see additional debugging output for all requests by passing the --debug flag to phpunit; though you need to separate it from the arguments for composer with --:

$ URL=http://jwt.local USERNAME=test PASSWORD=test composer run test -- --debug
sun commented 2 years ago

@pesseba Can you review and approve this update? Two approvals are required 🙂

dominic-ks commented 2 years ago

@sun are you on Discord? We've got a devs channel set up and would be good to chat about a couple of things if you are able to?

sun commented 2 years ago

Thanks, that's a very good suggestion :) Unfortunately I'm very short on time currently as I'm about to be on parental leave starting from next week. Therefore I can't promise something right now, but I'll try to connect and find you as soon as time permits!