wpc.IsValidJWToken() is always false .htaccess is thought to be correct

[pilotkid]

Hello all, I am trying to authenticate using JWT however, is valid is always returning false.

 WordPressClient wpc = new WordPressClient("http://shootingsportssoftware.com/wp-json");
 wpc.AuthMethod = AuthMethod.JWT; //NOT SIMPLIFIED FOLLOWING DEMO
 await wpc.RequestJWToken("arealusername", "supersecurepassword");
 var isValidToken = await wpc.IsValidJWToken();

When I use Postman or CURL to make the request it returns a valid token

[polushinmk]

@pilotkid library send request params in body, not in url with x-www-form-urlencoded header could you test your site with this?

[pilotkid]

Sadly I am getting the same response

[polushinmk]

Ok. also you could check the responce with GetToken() method Or you could check token/validate endpoint with postman like IsValidJWToken method

[pilotkid]

Interesting, when I try to validate the token it says that the authorization header was not found. Is that caused by htaccess or something else?

Also Quick side note: The only reason why I am posting the tokens, is because I am planning on changing the secret key after this is resolved

[polushinmk]

seems that server doesn`t accept Authorization header. May be problem in htaccess, may be in your hosting provider

[pilotkid]

While I wait to hear back from my hosting provider here is my htaccess file

WPENGINE

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

<ifModule mod_headers.c>
    Header always add Access-Control-Allow-Origin: "*"
    Header always add Access-Control-Allow-Methods "POST, GET, PUT, DELETE, OPTIONS"
    Header always add Access-Control-Allow-Headers "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"
</ifModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]
RewriteCond %{HTTP:Authorization} ^(.)
RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1]
</IfModule>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# END WordPress

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>

# END Wordfence WAF

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteRule ^(.*)$ https://www.shootingsportssoftware.com/$1 [R=301,L]

[DSMTurboAWD]

Has there been any fix or update on this? I am also experiencing this issue, using the same mechanism above. I have also tested with Postman, and am using an Angular request to the server which sends a valid token.

[pilotkid]

Not that I know of. I ended up giving up. But thinking about it again I wonder if wordfence is interfering. Are you also running wordfence? On Wed, Mar 20, 2019 at 11:01 AM DSMTurboAWD notifications@github.com wrote:

Has there been any fix or update on this? I am also experiencing this issue, using the same mechanism above. I have also tested with Postman, and am using an Angular request to the server which sends a valid token.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/wp-net/WordPressPCL/issues/159#issuecomment-474932099, or mute the thread https://github.com/notifications/unsubscribe-auth/AGFuhc7kbxQVRyQkqfB8lX7VyUVgHn4oks5vYmltgaJpZM4af3AS .

-- Sincerely, Marcello A. Bachechi

[DSMTurboAWD]

If this was my production server, then I certainly would be, but this is done on a AMPPS install of WordPress that I use for testing. I do have the htaccess, CORS and all those configurations set correctly, as confirmed by PostMan, and my calls using Angular. I was hoping it was a simple easy fix, as I like the idea of this package, as it would make an easy access controlled content viewer, if I could get it to work.

[michaellleslie]

I wish I could remember the url for the original documentation, but I found a reference to this issue, claiming, I think, that the required lines in the .htaccess needed to be near or at the top.. prior to this adjustment, I was getting the same result you are, afterwards it works. The start of my .htaccess file looks like this:

RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.) RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1] SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

RewriteCond %{HTTP_HOST} ^xxx-a-domain.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.xxx-a-domain.com/$1 [R,L]

[BehinaGroup]

RewriteCond %{HTTP:Authorization} ^(.) RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1] SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Your comment helped me to solve the issue. Thanks a lot.

[ThomasPe]

I’m closing this issue because it has been inactive for a while. Please feel free to reopen if you still encounter this issue. Thanks!