Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Securing Custom Routes #63

Open
megphillips91 opened this issue May 4, 2020 · 4 comments
Open

Securing Custom Routes #63

megphillips91 opened this issue May 4, 2020 · 4 comments

Comments

@megphillips91
Copy link

megphillips91 commented May 4, 2020
edited
Loading

I have a new custom route which I created via register custom route which I need to secure. If I provide a validate callback which returns true always and forever, the call will succeed without a header sent. If I send an Authorization with valid token, it always fails.

{
"code": "jwt_auth_invalid_token",
"message": "Signature verification failed",
"data": {
"status": 403
}
}

====> here is the register rest route
register_rest_route( 'parent-checklist-rest/v2', '/registration', array( 'methods' => 'GET, POST', 'callback' => __NAMESPACE__.'\\register_user', 'validate_callback'=> __NAMESPACE__.'\\check_JWT', ) );

====> validation callback
`function check_JWT(\WP_REST_Request $request){
//$header = $request->get_header('Authorization');
return TRUE;
//$response = wp_remote_post($header)

}`

Expected Behavior ==>

  • send valid token in Authorization Header
  • retrieve token in my validation callback
  • post token to /wp-json/simple-jwt-authentication/v1/token/validate
  • allow the call if token is valid
  • call fails is no auth header is sent
  • call fails if token is invalid

Actual Behavior ==>

  • the call fails even with valid token
  • the call succeeds as long as no Authorization Header is provided
  • seems my validate callback is not in play
@megphillips91
Copy link
Author

megphillips91 commented May 4, 2020
edited
Loading

Workaround ==>
If you register your route with no validate_callback specified, then you can add a validation hook which produces the expected behavior before you "do business" on the call. I see this more as a hack than a proper way to solve the problem. It may be a hack that works, but still hackey. So if someone has managed to produce the expected behavior, please post here. I can add to the documentation and submit a pull request for others using the plugin.

function register_user(\WP_REST_Request $request){ if( !check_JWT($request->bearer) ) { $response = array( 'response'=> 'bad token' ); return ($response); } else { //do business here }

@jonathan-dejong
Copy link
Owner

Hmmm does it work with WPs other default endpoints?
Just to rule out an issue with the key you've set.

this error is thrown by the firebase jwt-php library the plugin uses and I think it could generally backfire due to certificate changes.

@pentatonicfunk
Copy link

As far as i understand validate_callback is for REST arguments/params. for the endpoint it self, i think permission_callback is the one that supposed to do that

@megphillips91
Copy link
Author

Honestly, I never got back around to this the proper way and wrote a "workaround" custom authentication method which essentially just ensures the calls are coming from my app to the WP installation. I need a better solution and will get back around to it when reasonable for business.

thanks,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pentatonicfunk @jonathan-dejong @megphillips91