Allowing access to APIs when authenticated only

Hello @niftythree,

I will investigate this and I will come back with updates.

Best regards,
Nicu.

Hi Nicu,

Thank you. Will be keen to hear back from you.

Hi @nicu_m

Did you ever find anything on the question from @niftythree ?

I’m running into the same issue but would love to use your plugin.

Cheers!

Hello @niftythree, @2f4u

I’ve just prepared a new plugin version that allows accessing endpoints only with a JWT. The feature is called “Protect endpoints”, and you can choose either “Protect all endpoints”, or “Protect specific endpoints”.

You can download the beta version from Github: https://github.com/nicumicle/simple-jwt-login/tree/master/download

Please let me know what do you think, and if you have any suggestions.

Best regards,
Nicu.

Thanks for working on this subject!
I’ve installed the plugin v3.4 and the ‘Protect endpoints’ tab looks great!

The issue that I’m facing now is that 403 errors are returned whenever an endpoint is called using the JWT token. I can’t seem to figure out what settings I need to use. I’m using WordPress 5.8.1 and a VueJS front-end to make requests to the WordPress REST API.

Here’s my JS code

var url = 'https://app.sandbox.wp/?rest_route=/simple-jwt-login/v1/auth;
var payload = this.user;

const request = new Request(
    url, {
    method: "POST",
    headers: {
        "Content-type": "application/json",
    },
    body: JSON.stringify(payload)
});
                
var response = await fetch(request);
response = await response.json();

This returns a JWT token which is then stored in localstorage.

With this JWT token, subsequent requests are done to get posts. Using the Authorization header
Authorization: Bearer + JWT token

And with JS code like:

let url = this.getApiUrl() + '/wp/v2/posts';

const request = new Request(
    url, {
    method: "GET",
    headers: {
        "Content-type":"application/json",
        "Authorization": "Bearer " + token,
    }
    });

let response = await fetch(request);
response = await response.json();

All endpoints respond with the 403 (forbidden) status code.

Am I missing something here? Is this not the correct workflow?

Hello @2f4u,

What type of “Action” do you use for the protect endpoints? All endpoints or only specific endpoints?

Have you enabled the “Get JWT token from ” -> Header -> On from the Simple-JWt-login general settings tab?

Also, just to make sure, can you please make a request, and send the JWT in the query params?
https://sandbox.wp/?rest_route=/wp/v2/posts&JWT=your_jwt_here

Got it working!

In the protect endpoints tab, I tested both options. Both are working. Thanks for that, because that’s what I was actually looking for!

To make it work I had to do the following. In the general settings tab both REQUEST and Header are set on, the other two are set off. And because the REQUEST option is set on, I also send the JWT token as a parameter with every request.

Without these settings, all requests fail to authenticate. I’m not sure if this is a bug really, or if you want the REQUEST to be set on when any of the other options are set on.

One of the things that I was worried about, is that the JWT was not set correctly. I checked that using the following endpoint

?rest_route=/simple-jwt-login/v1/auth/validate&JWT=YOUR JWT HERE