wp-api-jwt-auth icon indicating copy to clipboard operation
wp-api-jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon Tmeister

Incompatible with HTTP basic authentication on Nginx

Open ZaneCEO opened this issue 1 year ago • 0 comments

Prerequisites

  • [X] I am running the latest plugin version
  • [X] I am running the latest WordPress version
  • [X] I know what PHP version I'm using
  • [X] I checked the documentation and found no answer
  • [X] I checked to make sure that this issue has not already been filed

Issue

  • WordPress version: 6.3.2
  • PHP Version: 8.2

Due to stringent business requirements, the whole WordPress instance is protected by HTTP basic authentication on Nginx:

auth_basic "Restricted access | VHOST HTTP AUTH";
auth_basic_user_file /var/.../httpauth;

This conflicts with the module, since both Nginx and JWT expect an Authorization header:

  • nginx expects: authorization: Basic xxxx
  • JWT expects: authorization: Bearer yyy

I tried to use both the HTTP basic credentials AND the Bearer:

curl -I -v --USER "<nginx-name>:<nginx-pass>" 'https://<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'

or

curl -I -v 'https://<nginx-name>:<nginx-pass>@<domain>/wp-json/wp/v2/posts' -H 'Authorization: Bearer <jwt-token>'

Both hit a 403 because the Bearer gets priority over HTTP basic credentials, so the request cannot authenticate and Nginx stop it immediately.

Workaround

As a workaround, I disabled the HTTP basic auth when the request originates from a know origin:

satisfy any;

## skip auth from loopback
allow 127.0.0.1;

## skip auth from LAN
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;

....

## Auth
auth_basic "Restricted access | VHOST HTTP AUTH";
auth_basic_user_file /var/.../httpauth;

Another idea ( https://stackoverflow.com/a/50971162/1204976 ) would be to pass the token with a different parameter and re-map it via php-fpm:

proxy_set_header Authorization $http_x_api_token;

But, again, I would really like to skip any of this.

Suggested action

Have a look at how WooCommerce uses specialized header: https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication. The module could read the token from a different header first (x-api-jwt-token: xxxx, for example) , then switch to the current behavior if it's not set.

ZaneCEO avatar Oct 23 '23 10:10 ZaneCEO