Custom endpoint is unprotected
-
I installed the Plugin and it basically works: I make a POST request to [mypage]/wp-json/jwt-auth/v1/token and I get back the correct JSON containing the token. So the plugin seems to be installed correctly.
Then I tried another endpoint: [mypage]/?rest_route=/wp/v2/users/register and expected the request (without authorization header) to be rejected by the JWT Plugin since the documentation mentions:
“The wp-api-jwt-auth will intercept every call to the server and will look for the authorization header, if the authorization header is present, it will try to decode the token and will set the user according with the data stored in it.”
But to my surprise, the request worked. This is how the endpoint is set up on the server:
register_rest_route('wp/v2', 'users/register', array( 'methods' => 'POST', 'callback' => 'wc_rest_user_reg_ep_handler', ));I thought all endpoints are protected by the JWT Plugin?
I read about the permission_callback but I think this is just a method to check user permissions. Which I thought I do not need, because my understanding is that the plugin rejects all invalid requests without token anyway. So in my endpoint I should be sure that the user has a valid token, thats enough for me.
Where am I wrong?
-
Yes I solved it. The documentation is in my opinion misleading. Only /jwt-auth/v1 endpoints are protected and work like expected. User gets automatically logged in and can be checked via is_user_logged_in().
But don’t worry, just create your custom endpoints in the /jwt-auth/v1 namespace, e.g.:
register_rest_route('/jwt-auth/v1', 'profile', array( 'methods' => 'POST', 'callback' => 'wc_rest_get_profile_handler', 'permission_callback' => function($request){ return is_user_logged_in(); } ));
- The topic ‘Custom endpoint is unprotected’ is closed to new replies.
