wp-graphql-jwt-authentication icon indicating copy to clipboard operation
wp-graphql-jwt-authentication copied to clipboard

Published 20 hours ago verified publisher icon wp-graphql

v0.4.1 doesn't find the GRAPHQL_JWT_AUTH_SECRET

Open mhinton opened this issue 5 years ago • 5 comments

With debugging on I get the following error from v0.4.1 using wp-graphql v0.10.3.

{"errors":[{"debugMessage":"You must define the GraphQL JWT Auth secret to use the WPGraphQL JWT Authentication plugin.","message":"Internal server error","extensions":{"category":"internal"}}]}

I have set the GRAPHQL_JWT_AUTH_SECRET and v0.4.0 works.

mhinton avatar Jul 28 '20 13:07 mhinton

I suspect the issue is caused by this conditional. Isn't it supposed to be 'graphql-jwt-auth' !== $jwt_secret instead of 'graphql-jwt-auth' === $jwt_secret?

Captura de pantalla 2020-07-28 a las 16 39 15

szvest avatar Jul 28 '20 15:07 szvest

@jasonbahl, I believe this is related to issue #95.

szvest avatar Jul 28 '20 16:07 szvest

@mhinton can you share information on how you defined the secret?

That exception being thrown is saying that a secret needs to be defined as described here: https://github.com/wp-graphql/wp-graphql-jwt-authentication#install-activate--setup

In your wp-config.php you need to place code this line of code:

define( 'GRAPHQL_JWT_AUTH_SECRET_KEY', 'your-secret-token' );

Make sure to make the value unique and make sure it's placed above the line that reads ``/* That's all, stop editing! Happy blogging. */`. If it's placed below, it won't actually be defined.

This secret is used to encode the tokens. If the secret is easily known, it opens up your site to vulnerabilities. The secret should be, well, secret. I'd recommend using a string generated from something like the WordPress salt generator: https://api.wordpress.org/secret-key/1.1/salt/

If the secret is not set, or the value is graphql-jwt-auth then the exception is thrown. This is to protect you and your site and ensure you set the secret to something unique.

jasonbahl avatar Aug 07 '20 13:08 jasonbahl

Thanks, @jasonbahl. I suspect there is some sort of bug in the latest version. I have had the secret since the version 0.3.5. Several times I tested defining it at times in the wp-config file and sometimes using the following hook. I also always make sure to set the expiration as well.

Captura de pantalla 2020-08-07 a las 18 16 00

With the latest version 0.4.1 no matter how you set and define the secret or setting the expiration (I tried 300 as well as 60) it won't work after a couple of hard refresh or if you keep your browser idle for 1 or two minutes.

szvest avatar Aug 07 '20 17:08 szvest

Ok. Thanks for the added info. I'll see if I can replicate and figure out what's going on.

jasonbahl avatar Aug 07 '20 17:08 jasonbahl