jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard
verified publisher icon usefulteam

Refresh token with valid token returns "rest_no_route."

Open oivinds opened this issue 3 years ago • 4 comments

http://localhost/wp-json/jwt-auth/v1/token with form data

To check that the token is valid I do: GET http://localhost/wp-json/wp/v2/users/me with authorization bearer. I get "status 200 ok"

I'm then storing the token returned in a cookie.

refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE2NTc0NTQyODgsIm5iZiI6MTY1NzQ1NDI4OCwiZXhwIjoxNjU3NDU1NjA4LCJkYXRhIjp7InVzZXIiOnsiaWQiOjUzLCJkZXZpY2UiOiIiLCJwYXNzIjoiMTFmYTM1ZTQyNjdhMzJkOWZhN2M5NWQ0ZTg1MDlkN2QifX19.EZk0uE52K2WDYp5cIVWYk4LUyMQr4MQDvsvkUnUWzrg; Path=/; Expires=Mon, 10 Jul 2023 11:23:24 GMT;

image

Then I am trying POST http://localhost/wp-json/jwt-auth/v1/token/refresh

{ "code": "rest_no_route", "message": "No route was found matching the URL and request method", "data": { "status": 404 } }

oivinds avatar Jul 10 '22 12:07 oivinds

I don't think this plugin has refresh tokens implemented

jakub-sekula avatar Jul 30 '22 22:07 jakub-sekula

@oivinds @jakub-sekula The refresh route is registered here - https://github.com/usefulteam/jwt-auth/blob/master/class-auth.php#L87 - along with the others

Are you sure you have the latest version?

dominic-ks avatar Jul 31 '22 11:07 dominic-ks

@oivinds Do you maybe have caching plugins or caching backends enabled that need flushing? Or maybe your PHP opcache does not invalidate files and needs a restart?

sun avatar Oct 05 '22 23:10 sun

@sun @oivinds The other thing that has become apparent is that the version on wp.org (2.1.0) is behind the latest master on GitHub (3.0.1) and refresh tokens were implemented in 3.0.0.

In order to get the plugin live again on wp.org again I've prepared a version 2.1.1 with the firebase update. I'm going to submit this to wp.org today and then I'll look into adding some notices to warn people of the upcoming update to V3+ which will include the refresh tokens.

Main thought here being that people using the version from wp.org will currently have JWTs with a life of 15 days and the refresh token update will knock that down to 10mins unless they take action or update to use refresh tokens.

dominic-ks avatar Oct 06 '22 08:10 dominic-ks

Good Morning,

I just installed the latest version from wp.org (2.1.3) and the refresh endpoint seems to be still missing (also the documentation is an old version). Do you know how can i use the latest version?

LorenzoInvernizzi avatar Apr 14 '23 08:04 LorenzoInvernizzi

Hello @LorenzoInvernizzi,

Yes, the wp.org version is still behind the latest master on GH. You can clone the latest with the refresh functionality from here.

dominic-ks avatar Apr 14 '23 08:04 dominic-ks

Perfect thanks. Now it works but i dont understand the usage, i read the documentation but my doubts are:

  1. once i hit the token/refresh endpoitn with the refresh_token in request cookies, i dont get any new bearer token in response, but only:

    { "success": true, "statusCode": 200, "code": "jwt_auth_valid_token", "message": "Token is valid" }

    Does it mean i can continue to use the already bearer token and replace the old refresh_token with the new one got as response or am i missing something? 10minutes are passes from when i did login and generated the bearer token.

  2. when calling the token/refresh api, should i pass the bearer token or not? i.e. should i whitelist the endpoint or no?

Thanks

LorenzoInvernizzi avatar Apr 14 '23 14:04 LorenzoInvernizzi

There is no whitelisting in the latest version of the plugin, it allows permissions for requests to fall back to the callback where the request is registered.

The flow for the refresh tokens is:

  • Send a request to /token with username and password to get a JWT access token and refresh cookie
  • Sent requests to any endpoints including /validate with JWT as bearer token
  • If JWT is expired, send a request to /token with refresh cookie (no username & password required) to get a new JWT
  • If refresh token is expired, send refresh cookie to /refresh to get a new refresh cookie

dominic-ks avatar Apr 14 '23 14:04 dominic-ks

Thanks! 👌 I added that to the Wiki: https://github.com/usefulteam/jwt-auth/wiki#how-does-the-jwt-flow-with-refresh-tokens-work-overall

sun avatar Apr 18 '23 09:04 sun

When I install latest version of this repo, I receive error message, plugin cannot be activated, because of critical error. I use the newest version of wordpress.

Warning: require(/home/.../mywebsite.de/wp-content/plugins/jwt-auth-master/vendor/autoload.php): failed to open stream: No such file or directory in /home/.../mywebsite.de/wp-content/plugins/jwt-auth-master/jwt-auth.php on line 25

richard-313 avatar Apr 20 '23 18:04 richard-313

@sun @s72817 @dominic-ks I'm having the same problem. The WordPress.org plugin version is 2.1.3 and installing the last from the repo (3.0.1) gives the same critical error on activation. With the WordPress.org plugin version, I can't seem to have the refresh token working. 😞

Fatal error: Uncaught Error: Failed opening required '/home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/vendor/autoload.php' (include_path='.:') in /home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/jwt-auth.php:25 Stack trace: #0 /home/xxx/webapps/yyy-API/wp-admin/includes/plugin.php(2314): include_once() #1 /home/xxx/webapps/yyy-API/wp-admin/plugins.php(192): plugin_sandbox_scrape() #2 {main} thrown in /home/xxx/webapps/yyy-API/wp-content/plugins/jwt-auth-master/jwt-auth.php on line 25

Tragio avatar May 24 '23 09:05 Tragio

@Tragio When installing from source, you need to install dependencies using Composer. I just documented installation instructions here: https://github.com/usefulteam/jwt-auth/wiki#how-to-install-the-jwt-auth-plugin-development-version-from-github

sun avatar May 24 '23 10:05 sun