It would be nice if we could get the user photo or avatar url when we use the auth endpoint

Bug Description

Hello!
Trying the new feature Protect Endpoints in the 3.4.0 version I've found a bug with whitelisted or protected endpoints.

I'm working in a subfolder WP install like www.mysite/subfolder
I'm looking in function isEndpointProtected($endpoint) in file ProtectEndpointService.php

The removeWpJsonFromEndpoint function called in lines 82 and 102 strips /wp-json from the strings:
if my string is www.mysite/**subfolder**/wp-json/endpoint the comparison is always wrong

The function removeWpJsonFromEndpoint changes the string in: www.mysite/subfolder/endpoint and on line 91 or 106 this string is compared with strpos() to www.mysite/subfolder/wp-json/endpoint and retrieves a wrong result

Environment

Bug Report

Missing simple_jwt_login_before_endpoint

Plugin Version

3.4.8

PHP Version

8.1

WordPress Version

6.1.1

Bug description

I noticed that hooks are missing before authentication. The documentation (Hooks/Code examples) mentions the ability to use simple_jwt_login_before_endpoint but this doesn't work.
Using the code:

add_action('simple_jwt_login_before_endpoint', function($method, $endpoint, $request){
       if ($method !== 'POST' && $endpoint !== 'auth') {
          return;
       }
       
       if( isset($request['email']) && $request['email'] === '[email protected]') {
           throw new Exception('Wrong email.');
       }
}, 10, 4);

Nothing appens.
How can i solve?
Thanks

Bug Description

I am using axios to first get the token from the back end. Then I want to send the token back so I can log in and get the user that is logged in. I get a 400 error every time I send the token back. Someone on stackoverflow told me to check the token and i did and it says the signature is invalid. It maybe be a setting but the docs do not explain in detail what the settings must be so I don't know. I need to make this work but the docs does not explain in enough detail especially if you are not a seasoned developer like me.

What did you expect to happen? What actually happened?
Well I would like to be able to log in using Vue

Environment

Other installed plugins (optional)

None no other plugins installed

Additional Context (optional)

I want assistance to edit the force login Link wordings

Eg. https://google.com/?**rest_route**=/maker/nice07544253652/**autologin**

how do I edit the words in asteriks in the link...
rest_route into something else
autologin into something else

Any assistance please?

I am attempting to do a PUT updating the password. What i've found is that if you put a & in the password it breaks. I have been unable to find anyway to encode it so that if you do so, it doesn't break. Looks to be a bug?

Bug Description

When accessing WooCommerce on our site we are getting the following error above the products:

`Warning: Cannot modify header information - headers already sent by (output started at /homepages/36/d333902371/htdocs/newsite/wp-content/themes/covernews-pro/header.php:13) in /homepages/36/d333902371/htdocs/newsite/wp-content/plugins/simple-jwt-login/src/Helpers/CorsHelper.php on line 13

Warning: Cannot modify header information - headers already sent by (output started at /homepages/36/d333902371/htdocs/newsite/wp-content/themes/covernews-pro/header.php:13) in /homepages/36/d333902371/htdocs/newsite/wp-content/plugins/simple-jwt-login/src/Helpers/CorsHelper.php on line 13

Warning: Cannot modify header information - headers already sent by (output started at /homepages/36/d333902371/htdocs/newsite/wp-content/themes/covernews-pro/header.php:13) in /homepages/36/d333902371/htdocs/newsite/wp-content/plugins/simple-jwt-login/src/Helpers/CorsHelper.php on line 13`

These seem to correlate to the three options on the CORS page of the plugin, when removing one or more of the options the number of errors is reduced but still remains. The error looks to be due to conflicting code in covernews-pro theme.

Environment

Is your feature request related to a problem?

Ability to get user data in protected endpoints.
In function hasAccess() the user is computed
$userID = $this->routeService->getUserIdFromJWT($jwt);
but not exposed.

Describe the solution you'd like

Ability to get the user id or the "session" in custom endpoints.
Like, in custom endpoints:
is_user_logged_in() -> true!
or
get_current_user_id() -> Id!

I saw a "Beta: All WordPress endpoints checks for JWT authentication" button in the General tab.
Is it an implementation of this feature? If yes, how to use it?

Thank you!
Riccardo

Is your feature request related to a problem?

Send the token in the URL as params is not a good practice. I suggest the token to validate should go in the body or in the header but not in the URL, this is for security reasons : https://gaurav5430.medium.com/web-security-access-token-in-url-79366a2bcb49

Additional, when one use AXIOS (for example in a React application) to login using JWT, by default the GET action does not allow to send JWT as JSON body, so it is hard to hide the token.

Describe the solution you'd like

Would be nice if instead of using the GET action, we can validate the Token using POST and put the Token either in the body or the header. For now, I saw the code and this is accomplished by changing:
File: /simple-jwt-login/src/Services/RouteService.php line: 60, for this:

        [
            'name' => self::AUTHENTICATION_VALIDATE_ROUTE,
            'method' => self::METHOD_POST,
            'service' => ValidateTokenService::class,
        ],

Additional context (optional)

I'm not PHP developer, maybe it is needed another validation for not allowing to send the token by URL. But this could be a good start.

Is your feature request related to a problem?

Yes : I get "User already exists." errors. The only way to correct this for me is to make manual changes in the base.

Describe the solution you'd like

Create endpoint that can get the UserID by email or vice versa.

Additional context (optional)

After that it can also help for updates of name, surname, mail, .....

Is your feature request related to a problem?

Settings import/export tool

Describe the solution you'd like

To quickly set up the plugin, I would like to be able to export and import settings to the new site.
If you also add the option to generate a strong jwt key on import (optional), it will be just a holiday.
Thank you for amazing work!

Additional context (optional)

Is your feature request related to a problem?

My problem was I needed to add additional fields (in my case, it was an ACF image field for an avatar) to the payload.

Describe the solution you'd like

A simple apply_filters call inside the authentication service allows us to modify it before it is returned.

A pull request for this change has already been submitted here: #48

Bug Description

Not able to authenticate protected apis with jwt token. Receiving invald_username error. Using postman to create and test the workflow.

Configuration:
General:

Login:

Authentication:

Steps to reproduce:

1. Hit the Authentication api with paramters:

{
    "email": "[email protected]",
    "password": "password",
    "AUTH_KEY": "{{PASSPORT_API_KEY}}"
}

2. Hit the posts api /wp-json/wp/v2/posts with Authorization Header and JWT token received from step 1

Authorization: "Bearer <JWT TOKEN>"

Received the error:

{
    "code": "invalid_username",
    "message": "<strong>Error</strong>: Unknown username. Check again or try your email address.",
    "data": null
}

Environment

Bug Description

We recently set up the plugin to authenticate our users to a WordPress site via another app, based on php/Symfony. It worked just fine at that time. We were able to retrieve JWTs and auto-login to the wp site using the plugin. Recently, there were some changes made to the wp site which I believe have somehow affected the auto-login functionality. Though it does respond correctly if we try to request access tokens but if we use the same tokens to auto-login to the site, it doesn't work as expected. The request does seem to succeed but the user is clearly not logged in. I am not sure what could be the possible reason for it as there is visually no error/exception. If I, however, try to make the request to the auto-login endpoint using the browser, ie., I put the whole URL with the required query parameters in the URL bar, I am indeed logged in but it doesn't work via the app.

Environment

Other installed plugins (optional)

Additional Context (optional)

This could be related.

Remove the "Beta" tag from "General" -> "All WordPress endpoints checks for JWT authentication"

It is added in views/general-view.php

We need to remove the <span class="beta">beta</span> and leave the option.

Also, clean up the CSS for beta (#simple-jwt-login span.beta).

Currently, it looks like this:

Desired Result:

Bug Report

WordPress uses the Rest API to perform certain actions. For example, updating posts. When protection for all endpoints is enabled it stops WordPress from accessing the Rest API.

Plugin Version

3.4.8

PHP Version

8.1

WordPress Version

6.1.1

Bug description

WordPress post update failed on updating posts. This happens on any post update. The problem being is that the plugin is preventing WordPress from accessing the Rest API. If you turn protection for all endpoints off WordPress can access.

Having to turn protection off defeats the purpose of the plugin. Whitelisting the /wp/v2/posts endpoint solves the problem for WordPress. It however, also opens it wide open to others. I'm wondering if there is a way to tell whether WordPress is the one accessing the Rest Api or if it's from an outside source. One possibility that comes to mind is to whitelist the ip address of WordPress - allowing it full access.

Bug Description

Is there a way to validate a user’s password encoded on the JWT for validate and autologin routes?

When it creates a new JWT token using the auth route with email and password, it validates the credentials by checking that the provided password is the same as the one on the WP database.

But, for validate and autologin routes, it does not check the user's password encoded on the token. So, we can create a JWT token with an online tool providing only the email and a wrong/empty password and use that token to login.

Is there any setting to always check the user's password encoded on the JWT?

Environment

Bug Description

When using register user api, the default role is ignored and they are assigned 'None' role.

Environment

To reproduce, just try to create a new user then check the role. I had to edit the code manually in SimpleJWTLoginService.php on line 469:

		$user = $this->wordPressData->createUser(
			$username,
			$email,
			$password,
            'subscriber',
			$extraParameters
		);

Hey there, thanks for a great plugin!
I’ve searched the docs and support, and it looks like the only way to get a JWT via the rest api is by supplying a username and password. I’m trying to build a custom password reset flow, and I’m wondering if there’s any way to provide the username and password reset code, and get a JWT in response.

Thanks kindly for your time.

Can't not pass The JWT token in the header

 const options = {
      method: "get",
      url: `${url}/wp-json/wp/v2/media`,
        headers: {
          Authorization: `Bearer ${token}`,
        },
      cancelToken: source.token,
    };

    axios(options)

The plugin does not see The JWT in the header. In the general tab I have header turn on with Authorization

This use to work on the prevous version

Bug Report

Plugin Version

Version 3.5.0

PHP Version

PHP 8.0.27

WordPress Version

Version 6.1.1

Bug description

I am able to read protected endpoints using a revoked key by changed the header name. Steps to reproduce:

1. Protect and endpoint. (I used /wp/v2/users)
2. Make a GET request to verify it's protected
3. Login through the /simple-jwt-login/v1/auth/login endpoint to retrieve a token.
4. Revoke the token in /simple-jwt-login/v1/auth/revoke endpoint
5. Make sure that the token is invalid through the /simple-jwt-login/v1/auth/validate endpoint
6. Make a GET request to the protected endpoint using as a header: "JWT: [revoked token]" and verify it's still protected.
7. Change the Header KEY from JWT to Authorization but still send the revoked token
8. Endpoint is now able to be read with an invalid/revoked token.

The Invalid token should be disregarded completely and the endpoint should still be protected if the key is invalid.

Other installed plugins (optional)

• Advanced Custom Fields PRO - Version 6.0.7
• WooCommerce - Version 7.3.0
• WP GraphQL - Version 1.13.7
• WP Mail SMTP - Version 3.7.0
• WP GraphQL CORS - Version 2.1
• WP GraphQL for ACF - 0.6.1

Additional Context (optional)

JWT is invalid

JWT as a Header

Authorization as a Header

I am trying to reset users password but I always get errorCode : 62 "Invalid code provided", also I noticed the suggested route (in the wp admin plugin page) is using "user" instead of "users" like mentionned in the docs, but "users" leads to a 404 error, could it be related ?

my project is using vuejs/nuxt

      axios.put('https://top-drive21.catapulpe.fr/wp-json/simple-jwt-login/v1/user/reset_password', {
        "email": this.email,
        "code": this.code,
        "new_password": this.password,
      })
        .then( (response) => {
          console.log( response )
        })
        .catch((error) => {
          console.log(this.email)
          console.log(this.code)
          console.log(this.password)
          console.error( 'Error', error.response );
        });

First of all, thanks for a great plugin!

Bug Description

Passing "user_meta" in POST body as JSON doesn't work, for example:

"user_meta": {
"billing_first_name": "Billy-Bob",
"billing_last_name": "Thornton"
}

However it works if passing it as a string via URL parameter, which can get quite messy if dealing with more meta.

I've managed to fix it by directly editing RegisterUserService.php (around line 77) and checking if
$this->request['user_meta'] is an array before running json_decode.

Environment

Additional Context (optional)

Bug Description

Hello, I am using metabox plugin, on admin plugin can't call API because no JWT =.=
I know problem because I turn on this option

But if I don't turn it on, I can't call API /users/me (I tried to pass JWT but not worked)
My solution is should add jwt when user login to admin. :) Or please tell me better way for this

Environment

Other installed plugins (optional)

• Plugin METABOX: 1.2.3
• Another Plugin : newest

There is currently a message on the official WordPress page stating that this plugin is no longer available. How come?

Ability to authenticate with an application name/key pair instead of user credentials. This would enable all routes to still be protected while giving the ability for an application to have access as at a given role level. This would allow an app to get posts without having to have a user login with their credentials. This would enable the administrator to give access to the site's api without having to have each individual user go through the WordPress application password setup. Ideally, this would give 'guest' privileges to the app until a user signed in through the app. It would require the admin to set up a 'guest' role or set the role to one already available.

Also, an expiry date would auto expire an applications name/key pair. For instance, allow a third party app 30 day access to develop a new front end application for your site. Using the current Simple JWT Login admin page, a separate section for application access could be added where the site administrator could set up the applications name, key and expiry date along with the ability to enable/disable the application's access.

I am getting error:
Sorry, you are not allowed to create posts as this user

curl -X POST "https://cloud.elmc.app/wp-json/wp/v2/posts" -H "Authorization: Bearer I_Put_Real_JWT_Token_Here" --form title="Test Title" --form content="My test content" --form type="page"

Hello,

Plugin Version

Version: 3.5.0

PHP Version

Using Laragon
PHP : 7.4

WordPress Version

6.1.1

Bug description

I got his error for auth : openssl_sign(): supplied key param cannot be coerced into a private key in : simple-jwt-login\src\Libraries\JWT\JWT.php on line 227

May be the problem that I use the auth method on a local site that uses https?

Other installed plugins (optional)

None

Currently, we do not display on the plugin dashboard the status for "Protect endpoints".

A new box should be added on the dashboard, with the title "Protect endpoints".

This box will have 2 statuses:

• On: When "Protect endpoints enabled" is "Yes"
• Off: When "Protect endpoints enabled" is "No"

Current:

Desired Result:

Is your feature request related to a problem?

WordPress login forms allow users to enter either a username or email address in the same field for logging in, but this plugin makes you have to determine whether a field is a username or email address before it's sent to the auth endpoint. The only effective way to tell this is in the WP admin by seeing if a user exists, as usernames allow @ and . even in strict mode.

Describe the solution you'd like

An optional field added to the auth endpoint called username_or_email. If the auth endpoint is called with this parameter, it should try to find a user by username and if it doesn't exist, try to find the user by email address instead, and if fails both, then throw an error.
You can use the get_user_by function to achieve this.

I don't have time to work on this myself at the moment, but I can probably submit a pull request for this in a couple of months if you don't have time to work on this yourself.

Howdy! I'm using this plugin for WP Rest API Authentication & SSO Login Implementation.

It works wonderfully, but I want to add some protection to the /auth endpoint for bruteforce attacks.

On my login form, I send a POST request to the /auth endpoint to get a valid JWT. This works, but I currently don't have measures to prevent Brute Force Attacks. My login form is on the client side (in a react app) so I need something on the API side to trigger.

I've already put together the code to get this working. I really just want a hook I can use to check the login attempts for a given user, before I continue with trying to authenticate the user.

"simple_jwt_login_response_auth_user"

This is the hook I tried, but it runs only when authentication is successful, not on every response, so is not functional for me.

TLDR: Need a hook that fires on the /auth endpoint BEFORE authentication commences to track login attempts and prevent Brute Force Attacks.

Is your feature request related to a problem?

i need to be able to change the user password but without providing a code
i dont need the user to go to its email

Describe the solution you'd like

a posible solution instead of passing the code we can pass the jwt

Additional context (optional)

Is your feature request related to a problem?

I need to be able to pass an objects properties like the billing and shipping that comes with woocommerce customers when using the register api

Describe the solution you'd like

in other words after register an user using the email
i look up by its id in the customers api of woocommerce but its billing and shipping properties are not setted with the right address they are blank by default

Additional context (optional)

Thanks for this great plugin!

As described in the documentation, Wp_User $user should be returned. But only the $userId is returned.

It seem as this plugin is causing issue with site not aways updating. It seem as I have to keep clear the cache. Is there a way to fix this or a way to make your plugin clear cache

Is your feature request related to a problem?

Kind of, yes, although it's a Me problem, not a You problem. :)

The current authentication mechanism simply checks that an account exists. I need finer grain control. For example, we use a custom role to temporarily disable accounts (or set "No Role For This Site") rather than deleting them. We need for those accounts not to be able to authenticate through JWT from our mobile app(s).

Describe the solution you'd like

I'd like to be able to have control over which roles can authenticate through JWT, preferably:

Whitelist: roles which can (empty means all can)
Blacklist: roles which cannot
Checkbox for "No Role cannot authenticate"

Alternatively, perhaps another hook for auth, which passes the user_id, and the hook can return true or false for whether it should be authenticated or not. Then we can handle all this ourselves.

Thanks for a great plugin, btw.

Firstly congrats for the plugin, it's been very useful so far and very nicely written.

I have recently started testing "wp-graphql" and I'm looking into ways of using it together with "simple-jwt-login" (and not using their version of JWT implementation)

So what would be the options if there are any to authenticate using JWT tokens on non REST endpoints, so that get_current_user_id() return the correct data.

Thanks for making a great plugin!

I used {{EMAIL}} for a custom password reset email, but it outputs user_login and I don't get the expected result.

Is there a reason why {{EMAIL}} outputs user_login when this plugin uses user_email for $sendTo?

If you don't mind, it would be nice if {{EMAIL}} outputs user_email.

I am sorry. I do not speak English. Please allow me to translate this issue with the Deeple translation tool.

Bug Description

1. Use register endpoint to create a new user with email [email protected]
2. Authenticate using auth endpoint
3. Store returned JWT as jwt1
4. Delete user using default WordPress functionality (Users -> [email protected] -> Delete)
5. Repeat steps 1, 2
6. Store returned JWT as jwt2

Since user IDs have changed, I expect the jwt1 to be marked as invalid. In fact, both tokens can be used to access protected endpoints.

Environment

Other installed plugins (optional)

Additional Context (optional)

This will allow us to select/deselect an option when the label is clicked.
Also and will improve the user experience.

In most of the plugin code, there are labels already added, but there are some missing places.

Here is where we need to add new labels:

• General:

  • All WordPress endpoints checks for JWT authentication

• Reset password:

  • Allow Reset password
  • Reset password requires Auth code

• Authentication:

  • Authentication requires auth code

• CORS
  - Access-Control-Allow-Origin
  - Access-Control-Allow-Methods
  - Access-Controle-Allow-Headers

Example:

This is how it is now:

  <input type="checkbox" name="cors[allow_origin_enabled]" value="1" checked="">
        <b>Access-Control-Allow-Origin</b>

This is how it should be:

  <input type="checkbox" name="cors[allow_origin_enabled]" value="1" checked="" id="cors_allow_origin_enabled">
  <label for="cors_allow_origin_enabled">
              <b>Access-Control-Allow-Origin</b>
  </label>

Is your feature request related to a problem?

No it is a question

Describe the solution you'd like

I was expecting that the user would receive his password by email.

Hi, I have been able to register a user without sending a password, and I was expecting to get the generated password in some way but I couldn't find how, can you help me ?
Thank you very much

1.) Is there any way to allow users to make post?
2.) Is this plugin mainly a user utility just to create, delete, change password, etc. I see that there is a login and auto login feature it would be great to be able to create post using the rest api with your plugin

Is there a way to secure all public rest api endpoints?

I'd like to secure the pages endpoint (and any other page) so it's only accessible with an api key. But if I make a request without JWT it just goes through.

I couldn't find a way to change this in the settings

Is your feature request related to a problem?

i have my custom login endpoint which logs in users using mobile number and otp (rest_route=/rad/v1/otp-login).

i want simple-jwt-login plugin a function to generate jwt.
then i control user login in my custom endpoint and return this jwt if user logged in with mobile and otp successfully.

(mobile number is stored in usermeta. like digits plugin. i mean that no email or password is required to login.)

i also provide bellow ways to login:

– login with mobile number and otp.
– login with username and password.
– login with email and password.

Describe the solution you'd like

Additional context (optional)

Is your feature request related to a problem?

Yes, I am trying use api /v1/auth to authenticate but my password has special character.

Describe the solution you'd like

Allow to send email/password in body

Thank you for made this pack :) best out there for now

Hi nice plugin.
I was wondering if there is a way to get the jwt in the response of the registration endpoint, thanks a lot.
I am registering just with the email and checked the generation of a random password but i need to get the jwt for a mobile application, i am also checked the auto-login feature

Bug Description

Here is what user_meta I try to send and below is how the plugin sees it:

The problem is backslashes which make json_decode return null.
The image below is a part of the code (/wp-content/plugins/simple-jwt-login/src/modules/SimpleJWTLoginService.php) where I tried to debug the issue:

Wrapping $_REQUEST['user_meta'] in stripslashes() fixes the issue.

Environment

| PHP version | 7.4.18
| WordPress version | 5.7.2
| Simple-JWT-Login plugin version | 2.6.2

I am trying to delete a user. I am not able to pass JWT in header. When doing so I get unauthorized error. However I can pass the JWT in the params.

I am using this in a React project

let jwt = 'tokenStringHere'

let source = axios.CancelToken.source();

const options = {
  method: 'delete',
  url: 'https://example_site.com/?rest_route=/simple-jwt-login/v1/users',
  headers: {Authorization: `Bearer ${jwt}`},
  params: {
    AUTH_KEY:'rnInTheYear198',
  },
  cancelToken: source.token,
};

axios(options)
  .then(response => {
    console.log(response.data);
  })

return function () {
  source.cancel('Cancelling in cleanup');
};

Bug Description

When I use the code to Validate token I get error that say:
POST https://cloud.elmc.app/?rest_route=/simple-jwt-login/v1/auth/validate&JWT=eyJ0e_The_rest_of_my_jwt. 404

I run the following in postman:
https://cloud.elmc.app/?rest_route=/simple-jwt-login/v1/auth/validate&JWT=My_Real_Jwt_Replaces_This_String

Postman out:

{
    "code": "rest_no_route",
    "message": "No route was found matching the URL and request method.",
    "data": {
        "status": 404
    }
}

Environment

Other installed plugins (optional)

No there plugins are installed

Bug Report

Plugin Version

3.4.8

PHP Version

8.1

WordPress Version

6.1.1

Bug description

If JWT parameter key is not set, validate, refresh token, etc. do not work.
Passes empty parameter to getUserParameterValueFromPayload. In the settings page for login adding a check to ensure that it is set would solve this problem. Possibly change error message in validate and refresh from
'Unable to find user %s property in JWT' to 'Ensure JWT parameter key is set in Login settings.'.

Once JWT parameter key is set, everything seems to work fine. I have not extensively tested all endpoints as that would be very time consuming. It does fix the problem with validate and refresh token.