JWT Authentication for WP REST API - Version 1.2.5

Version Description

Download this release

Release Info

Developer Tmeister
Plugin Icon JWT Authentication for WP REST API
Version 1.2.5
Comparing to
See all releases

Code changes from version 1.2.4 to 1.2.5

Files changed (5) hide show
  1. README.md +16 -16
  2. includes/class-jwt-auth.php +25 -6
  3. jwt-auth.php +1 -1
  4. public/class-jwt-auth-public.php +22 -23
  5. readme.txt +3 -3
README.md CHANGED
@@ -16,11 +16,11 @@ So, to use the **wp-api-jwt-auth** you need to install and activate [WP REST API
16
 
17
  **Minimum PHP version: 5.3.0**
18
 
19
- ### Eable PHP HTTP Authorization Header
20
 
21
  #### Shared Hosts
22
 
23
- Most of the shared hosts have disabled the **HTTP Authorization Header** by default.
24
 
25
  To enable this option you'll need to edit your **.htaccess** file by adding the following:
26
 
@@ -52,7 +52,7 @@ To add the **secret key**, edit your wp-config.php file and add a new constant c
52
 
53
 
54
  ```php
55
- define('JWT_AUTH_SECRET_KEY', 'your-top-secrect-key');
56
  ```
57
 
58
  You can use a string from here https://api.wordpress.org/secret-key/1.1/salt/
@@ -84,19 +84,19 @@ When the plugin is activated, a new namespace is added.
84
  Also, two new endpoints are added to this namespace.
85
 
86
 
87
- Endpoint | HTTP Verb
88
- --- | ---
89
- */wp-json/jwt-auth/v1/token* | POST
90
- */wp-json/jwt-auth/v1/token/validate* | POST
91
 
92
- ##Usage
93
  ### /wp-json/jwt-auth/v1/token
94
 
95
  This is the entry point for the JWT Authentication.
96
 
97
  Validates the user credentials, *username* and *password*, and returns a token to use in a future request to the API if the authentication is correct or error if the authentication fails.
98
 
99
- ####Sample request using AngularJS
100
 
101
  ```javascript
102
 
@@ -188,7 +188,7 @@ Host: server.example.com
188
  Authorization: Bearer mF_s9.B5f-4.1JqM
189
  ```
190
 
191
- ###Errors
192
 
193
  If the token is invalid an error will be returned. Here are some samples of errors:
194
 
@@ -249,11 +249,11 @@ Valid Token Response:
249
  }
250
  ```
251
 
252
- ##Available Hooks
253
 
254
  The **wp-api-jwt-auth** is dev friendly and has five filters available to override the default settings.
255
 
256
- ####jwt_auth_cors_allow_headers
257
 
258
  The **jwt_auth_cors_allow_headers** allows you to modify the available headers when the CORs support is enabled.
259
 
@@ -263,7 +263,7 @@ Default Value:
263
  'Access-Control-Allow-Headers, Content-Type, Authorization'
264
  ```
265
 
266
- ###jwt_auth_not_before
267
 
268
  The **jwt_auth_not_before** allows you to change the [**nbf**](https://tools.ietf.org/html/rfc7519#section-4.1.5) value before the token is created.
269
 
@@ -273,7 +273,7 @@ Default Value:
273
  Creation time - time()
274
  ```
275
 
276
- ###jwt_auth_expire
277
 
278
  The **jwt_auth_expire** allows you to change the value [**exp**](https://tools.ietf.org/html/rfc7519#section-4.1.4) before the token is created.
279
 
@@ -283,7 +283,7 @@ Default Value:
283
  time() + (DAY_IN_SECONDS * 7)
284
  ```
285
 
286
- ###jwt_auth_token_before_sign
287
 
288
  The **jwt_auth_token_before_sign** allows you to modify all the token data before to be encoded and signed.
289
 
@@ -304,7 +304,7 @@ $token = array(
304
  );
305
  ```
306
 
307
- ###jwt_auth_token_before_dispatch
308
  The **jwt_auth_token_before_dispatch** allows you to modify all the response array before to dispatch it to the client.
309
 
310
  Default value:
16
 
17
  **Minimum PHP version: 5.3.0**
18
 
19
+ ### Enable PHP HTTP Authorization Header
20
 
21
  #### Shared Hosts
22
 
23
+ Most shared hosts have disabled the **HTTP Authorization Header** by default.
24
 
25
  To enable this option you'll need to edit your **.htaccess** file by adding the following:
26
 
52
 
53
 
54
  ```php
55
+ define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');
56
  ```
57
 
58
  You can use a string from here https://api.wordpress.org/secret-key/1.1/salt/
84
  Also, two new endpoints are added to this namespace.
85
 
86
 
87
+ | Endpoint | HTTP Verb |
88
+ | ------------------------------------- | --------- |
89
+ | */wp-json/jwt-auth/v1/token* | POST |
90
+ | */wp-json/jwt-auth/v1/token/validate* | POST |
91
 
92
+ ## Usage
93
  ### /wp-json/jwt-auth/v1/token
94
 
95
  This is the entry point for the JWT Authentication.
96
 
97
  Validates the user credentials, *username* and *password*, and returns a token to use in a future request to the API if the authentication is correct or error if the authentication fails.
98
 
99
+ #### Sample request using AngularJS
100
 
101
  ```javascript
102
 
188
  Authorization: Bearer mF_s9.B5f-4.1JqM
189
  ```
190
 
191
+ ### Errors
192
 
193
  If the token is invalid an error will be returned. Here are some samples of errors:
194
 
249
  }
250
  ```
251
 
252
+ ## Available Hooks
253
 
254
  The **wp-api-jwt-auth** is dev friendly and has five filters available to override the default settings.
255
 
256
+ #### jwt_auth_cors_allow_headers
257
 
258
  The **jwt_auth_cors_allow_headers** allows you to modify the available headers when the CORs support is enabled.
259
 
263
  'Access-Control-Allow-Headers, Content-Type, Authorization'
264
  ```
265
 
266
+ ### jwt_auth_not_before
267
 
268
  The **jwt_auth_not_before** allows you to change the [**nbf**](https://tools.ietf.org/html/rfc7519#section-4.1.5) value before the token is created.
269
 
273
  Creation time - time()
274
  ```
275
 
276
+ ### jwt_auth_expire
277
 
278
  The **jwt_auth_expire** allows you to change the value [**exp**](https://tools.ietf.org/html/rfc7519#section-4.1.4) before the token is created.
279
 
283
  time() + (DAY_IN_SECONDS * 7)
284
  ```
285
 
286
+ ### jwt_auth_token_before_sign
287
 
288
  The **jwt_auth_token_before_sign** allows you to modify all the token data before to be encoded and signed.
289
 
304
  );
305
  ```
306
 
307
+ ### jwt_auth_token_before_dispatch
308
  The **jwt_auth_token_before_dispatch** allows you to modify all the response array before to dispatch it to the client.
309
 
310
  Default value:
includes/class-jwt-auth.php CHANGED
@@ -93,25 +93,25 @@ class Jwt_Auth
93
  /**
94
  * Load dependecies managed by composer.
95
  */
96
- require_once plugin_dir_path(dirname(__FILE__)).'includes/vendor/autoload.php';
97
 
98
  /**
99
  * The class responsible for orchestrating the actions and filters of the
100
  * core plugin.
101
  */
102
- require_once plugin_dir_path(dirname(__FILE__)).'includes/class-jwt-auth-loader.php';
103
 
104
  /**
105
  * The class responsible for defining internationalization functionality
106
  * of the plugin.
107
  */
108
- require_once plugin_dir_path(dirname(__FILE__)).'includes/class-jwt-auth-i18n.php';
109
 
110
  /**
111
  * The class responsible for defining all actions that occur in the public-facing
112
  * side of the site.
113
  */
114
- require_once plugin_dir_path(dirname(__FILE__)).'public/class-jwt-auth-public.php';
115
 
116
  $this->loader = new Jwt_Auth_Loader();
117
  }
@@ -141,8 +141,27 @@ class Jwt_Auth
141
  $plugin_public = new Jwt_Auth_Public($this->get_plugin_name(), $this->get_version());
142
  $this->loader->add_action('rest_api_init', $plugin_public, 'add_api_routes');
143
  $this->loader->add_filter('rest_api_init', $plugin_public, 'add_cors_support');
144
- $this->loader->add_filter('determine_current_user', $plugin_public, 'determine_current_user', 10);
145
- $this->loader->add_filter( 'rest_pre_dispatch', $plugin_public, 'rest_pre_dispatch', 10, 2 );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
146
  }
147
 
148
  /**
93
  /**
94
  * Load dependecies managed by composer.
95
  */
96
+ require_once plugin_dir_path(dirname(__FILE__)) . 'includes/vendor/autoload.php';
97
 
98
  /**
99
  * The class responsible for orchestrating the actions and filters of the
100
  * core plugin.
101
  */
102
+ require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-jwt-auth-loader.php';
103
 
104
  /**
105
  * The class responsible for defining internationalization functionality
106
  * of the plugin.
107
  */
108
+ require_once plugin_dir_path(dirname(__FILE__)) . 'includes/class-jwt-auth-i18n.php';
109
 
110
  /**
111
  * The class responsible for defining all actions that occur in the public-facing
112
  * side of the site.
113
  */
114
+ require_once plugin_dir_path(dirname(__FILE__)) . 'public/class-jwt-auth-public.php';
115
 
116
  $this->loader = new Jwt_Auth_Loader();
117
  }
141
  $plugin_public = new Jwt_Auth_Public($this->get_plugin_name(), $this->get_version());
142
  $this->loader->add_action('rest_api_init', $plugin_public, 'add_api_routes');
143
  $this->loader->add_filter('rest_api_init', $plugin_public, 'add_cors_support');
144
+ $this->loader->add_filter('rest_pre_dispatch', $plugin_public, 'rest_pre_dispatch', 10, 2);
145
+ /**
146
+ * Gutenberg fix
147
+ * Now with Gutenberg the WP API usage is masive and most of the call are in the admin.
148
+ * The JWT token should be used only when the user is not logged in, aka remote calls.
149
+ * This validation search for the WordPress logged in cookie if exists the filter on
150
+ * the determine_current_user hook is not applied.
151
+ *
152
+ * @since 1.2.5
153
+ */
154
+ $is_user_logged_in = false;
155
+ foreach ($_COOKIE as $name => $value) {
156
+ if (strpos($name, 'wordpress_logged_in_') === 0) {
157
+ $is_user_logged_in = true;
158
+ break;
159
+ }
160
+ }
161
+ if (!$is_user_logged_in) {
162
+ $this->loader->add_filter('determine_current_user', $plugin_public, 'determine_current_user', 10);
163
+
164
+ }
165
  }
166
 
167
  /**
jwt-auth.php CHANGED
@@ -15,7 +15,7 @@
15
  * Plugin Name: JWT Authentication for WP-API
16
  * Plugin URI: https://enriquechavez.co
17
  * Description: Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
18
- * Version: 1.2.4
19
  * Author: Enrique Chavez
20
  * Author URI: https://enriquechavez.co
21
  * License: GPL-2.0+
15
  * Plugin Name: JWT Authentication for WP-API
16
  * Plugin URI: https://enriquechavez.co
17
  * Description: Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
18
+ * Version: 1.2.5
19
  * Author: Enrique Chavez
20
  * Author URI: https://enriquechavez.co
21
  * License: GPL-2.0+
public/class-jwt-auth-public.php CHANGED
@@ -64,7 +64,7 @@ class Jwt_Auth_Public
64
  {
65
  $this->plugin_name = $plugin_name;
66
  $this->version = $version;
67
- $this->namespace = $this->plugin_name.'/v'.intval($this->version);
68
  }
69
 
70
  /**
@@ -72,10 +72,10 @@ class Jwt_Auth_Public
72
  */
73
  public function add_api_routes()
74
  {
75
- register_rest_route($this->namespace, 'token', [
76
  'methods' => 'POST',
77
  'callback' => array($this, 'generate_token'),
78
- ]);
79
 
80
  register_rest_route($this->namespace, 'token/validate', array(
81
  'methods' => 'POST',
@@ -125,7 +125,7 @@ class Jwt_Auth_Public
125
  if (is_wp_error($user)) {
126
  $error_code = $user->get_error_code();
127
  return new WP_Error(
128
- '[jwt_auth] '.$error_code,
129
  $user->get_error_message($error_code),
130
  array(
131
  'status' => 403,
@@ -184,7 +184,7 @@ class Jwt_Auth_Public
184
  **/
185
  $rest_api_slug = rest_get_url_prefix();
186
  $valid_api_uri = strpos($_SERVER['REQUEST_URI'], $rest_api_slug);
187
- if(!$valid_api_uri){
188
  return $user;
189
  }
190
 
@@ -226,12 +226,11 @@ class Jwt_Auth_Public
226
  * Looking for the HTTP_AUTHORIZATION header, if not present just
227
  * return the user.
228
  */
229
- $auth = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : false;
230
-
231
 
232
  /* Double check for different auth header string (server dependent) */
233
  if (!$auth) {
234
- $auth = isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : false;
235
  }
236
 
237
  if (!$auth) {
@@ -301,22 +300,22 @@ class Jwt_Auth_Public
301
  return $token;
302
  }
303
  /** If the output is true return an answer to the request to show it */
304
- return array(
305
- 'code' => 'jwt_auth_valid_token',
306
- 'data' => array(
307
- 'status' => 200,
308
- ),
309
- );
310
- } catch (Exception $e) {
311
  /** Something is wrong trying to decode the token, send back the error */
312
- return new WP_Error(
313
- 'jwt_auth_invalid_token',
314
- $e->getMessage(),
315
- array(
316
- 'status' => 403,
317
- )
318
- );
319
- }
320
  }
321
 
322
  /**
64
  {
65
  $this->plugin_name = $plugin_name;
66
  $this->version = $version;
67
+ $this->namespace = $this->plugin_name . '/v' . intval($this->version);
68
  }
69
 
70
  /**
72
  */
73
  public function add_api_routes()
74
  {
75
+ register_rest_route($this->namespace, 'token', array(
76
  'methods' => 'POST',
77
  'callback' => array($this, 'generate_token'),
78
+ ));
79
 
80
  register_rest_route($this->namespace, 'token/validate', array(
81
  'methods' => 'POST',
125
  if (is_wp_error($user)) {
126
  $error_code = $user->get_error_code();
127
  return new WP_Error(
128
+ '[jwt_auth] ' . $error_code,
129
  $user->get_error_message($error_code),
130
  array(
131
  'status' => 403,
184
  **/
185
  $rest_api_slug = rest_get_url_prefix();
186
  $valid_api_uri = strpos($_SERVER['REQUEST_URI'], $rest_api_slug);
187
+ if (!$valid_api_uri) {
188
  return $user;
189
  }
190
 
226
  * Looking for the HTTP_AUTHORIZATION header, if not present just
227
  * return the user.
228
  */
229
+ $auth = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : false;
 
230
 
231
  /* Double check for different auth header string (server dependent) */
232
  if (!$auth) {
233
+ $auth = isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : false;
234
  }
235
 
236
  if (!$auth) {
300
  return $token;
301
  }
302
  /** If the output is true return an answer to the request to show it */
303
+ return array(
304
+ 'code' => 'jwt_auth_valid_token',
305
+ 'data' => array(
306
+ 'status' => 200,
307
+ ),
308
+ );
309
+ } catch (Exception $e) {
310
  /** Something is wrong trying to decode the token, send back the error */
311
+ return new WP_Error(
312
+ 'jwt_auth_invalid_token',
313
+ $e->getMessage(),
314
+ array(
315
+ 'status' => 403,
316
+ )
317
+ );
318
+ }
319
  }
320
 
321
  /**
readme.txt CHANGED
@@ -4,9 +4,9 @@ Contributors: tmeister
4
  Donate link: https://enriquechavez.co
5
  Tags: wp-json, jwt, json web authentication, wp-api
6
  Requires at least: 4.2
7
- Tested up to: 4.8.1
8
  Requires PHP: 5.3.0
9
- Stable tag: 1.2.4
10
  License: GPLv2 or later
11
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
12
 
@@ -62,7 +62,7 @@ The JWT needs a **secret key** to sign the token this **secret key** must be uni
62
  To add the **secret key** edit your wp-config.php file and add a new constant called **JWT_AUTH_SECRET_KEY**
63
 
64
  `
65
- define('JWT_AUTH_SECRET_KEY', 'your-top-secrect-key');
66
  `
67
 
68
  You can use a string from here https://api.wordpress.org/secret-key/1.1/salt/
4
  Donate link: https://enriquechavez.co
5
  Tags: wp-json, jwt, json web authentication, wp-api
6
  Requires at least: 4.2
7
+ Tested up to: 5.0
8
  Requires PHP: 5.3.0
9
+ Stable tag: 1.2.5
10
  License: GPLv2 or later
11
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
12
 
62
  To add the **secret key** edit your wp-config.php file and add a new constant called **JWT_AUTH_SECRET_KEY**
63
 
64
  `
65
+ define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');
66
  `
67
 
68
  You can use a string from here https://api.wordpress.org/secret-key/1.1/salt/