simple-jwt-login icon indicating copy to clipboard operation
simple-jwt-login copied to clipboard
verified publisher icon nicumicle

Q: How to authenticate non rest endoints (wp-graphql)

Open Lupul opened this issue 4 years ago • 3 comments

Firstly congrats for the plugin, it's been very useful so far and very nicely written.

I have recently started testing "wp-graphql" and I'm looking into ways of using it together with "simple-jwt-login" (and not using their version of JWT implementation)

So what would be the options if there are any to authenticate using JWT tokens on non REST endpoints, so that get_current_user_id() return the correct data.

Lupul avatar Apr 15 '22 13:04 Lupul

Hello @Lupul,

You can use the "Allow JWT usage on all endpoints" feature. Go to plugin page, in the general section and check the checkbox.

If a JWT is present in the request, the plugin will authenticate and then it will call the actual endpoint.

You can read more here: https://simplejwtlogin.com/docs/#allow-jwt-usage-on-all-endpoints

Please let me know if this works for you.

nicumicle avatar Apr 25 '22 18:04 nicumicle

Sorry, I should have mentioned in the initial post, I have that feature enabled and it is working properly on all REST endpoints that are requiring Auth, like /wp-json/wp/v3/products and also on my custom REST namespaces so no problem there.

My goal was to have jwt auth working on non-REST endpoints, like posts or pages ex:

add_action('wp_footer', function() {
    print_r(wp_get_current_user());
    echo PHP_EOL;

    print_r(get_current_user_id());
    echo PHP_EOL;
});

JWT="XXX"
curl "https://domain.com/random-page/" -H "Authorization: Bearer $JWT"

PS: As a temporary solution I have extracted this code from api.php which is working fine, but I'm not confident this is the right way to go.


$parseRequest = ParseRequest::process($_SERVER);
$parsedRequestVariables = [];
if (isset($parseRequest['variables'])) {
    $parsedRequestVariables = (array) $parseRequest['variables'];
}
$request = array_merge($_REQUEST, $parsedRequestVariables);

$jwtSettings = new SimpleJWTLoginSettings(new WordPressData());

$routeService = new RouteService();
$routeService->withSettings($jwtSettings);
$routeService->withRequest($request);
$routeService->withServerHelper(new ServerHelper($_SERVER));

$jwt = $routeService->getJwtFromRequestHeaderOrCookie();

if (! empty($jwt)) {
    try {
        $userID = $routeService->getUserIdFromJWT($jwt);
        wp_set_current_user($userID);
    } catch (\Exception $e) {
        wp_die('Invalid api token', 401);
    }
}

Q: So my question is, what would be the proper way to bootstrap simple-jwt-plugin manually in a theme functions.php for example?

Lupul avatar May 15 '22 14:05 Lupul

Hello @Lupul ,

Sorry that I respond so late.

This is an interesting thing that you did.

I am thinking to add a feature, that will allow authentication on users in WordPress if a JWT is present.

Something similar to "allow JWT usage on all endpoints" but for non REST urls.

I will add this in the backlog, as a feature.

And to answer your question, in my opinion it is ok.

nicumicle avatar Oct 20 '22 18:10 nicumicle