toriphes
commented
3 years ago Hello! Not receiving the correct message and http status code makes it difficult for the frontend to interpret the error.
For now on the frontend I check if the token has expired and refresh it if necessary. This approach becomes difficult when dealing with users from different time zones.
I believe that each graphql request with a JWT that for some reason is not valid must always response with the 401 status code, giving the frontend the possibility to request a new authToken.
I don't know if there is a specific reason for this behavior. Maybe @jasonbahl, who did an amazing job with this plugin, can clarify the doubt.
Hello!
When running a query with an expired/invalid JWT token, I get the "Internal Server Error" which is fine, but do not get the 403 HTTP code.
This is problematic because determine the cause of the error on the client side now turns into parsing strings (and even that is vague because the error is generic with debugging turned off).
I looked through the code and found the problem to be validate_token:
https://github.com/wp-graphql/wp-graphql-jwt-authentication/blob/6f4c18ada3382f51c8aa690aaec3bad994af13f3/src/Auth.php#L589
https://github.com/wp-graphql/wp-graphql-jwt-authentication/blob/6f4c18ada3382f51c8aa690aaec3bad994af13f3/src/Auth.php#L596
https://github.com/wp-graphql/wp-graphql-jwt-authentication/blob/6f4c18ada3382f51c8aa690aaec3bad994af13f3/src/Auth.php#L605
These lines are returning a WP_Error and not setting the status code on line 610.
Was this done for a specific reason I am missing?