Disable it on api

Hey @pixael,

At this time there is no solution however, I can integrate something. I’ll first need to look into it further to find out what the best solution is. Disabling 2FA for the API via code hurts those accounts who have 2FA enabled, so it might be best to do this on a per-user basis. I have not tested this part of the plugin via the REST API.

I was not aware of JWT integrated into WordPress by default; do you have a third party plugin to achieve this?

Thanks,
Sully

Hi Sully, I’m using Simple-JWT-Login.

I wonder if it makes sense to enable 2fa on /wp-json at all… I don’t think apis will ever need 2fa? You generally use a JWT token to authenticate api calls.

@pixael That’s what I was thinking too however, more research is needed. I’ll have to download this plugin and see what it’s doing in order to make a decision.

The API endpoint is allowed to work via old fashioned username/password and now since 5.6 that includes dedicated application passwords. Disabling 2FA for application passwords is OK (and JWT alike), because it’s just like an API key/token however, WordPress still allows old fashioned username/passwords to be used and that’s where the problem lies.

Hi Sully

at the moment I’ve solved my issue amending the wp_login function in your plugin, I’ve added this line at the beginning so it won’t fire on /wp-json

if (strpos(parse_url(esc_url_raw(add_query_arg(array())), PHP_URL_PATH), '/wp-json') === 0) return false;

I know changing the plugins source code is not a correct solution but in the meantime I can keep the plugin active and work at my apis.

@pixael Glad it’s working for you!

Once I release a new version with this new feature I’ll update this post and let you know the outcome.

Thanks,
Sully

Hi @pixael,

I hope you are well! I have just been checking into this today and I’m unable to replicate your issue.

When I login with the WordPress API, my plugin does not “kick in” and block the request. Similarly, I downloaded the JWT plugin and enabled Authentication in the plugin and again, it does not block the request.

Could you share with me your end-points you are using (removing your domain and protected information)?

Thanks,
Sully

Hi @ss88_uk, I’ve enabled the 2 factors authentication for all users with:

define('SS88_2FAVE_ENABLE_ALL', true);

did you try that?

Morning @pixael,

I just tried using the code you added and I’m still unable to replicate. I’m using two ways to login (I’m not that familiar with the JWT plugin):

/?rest_route=/simple-jwt-login/v1/auth&email=XX&password=XX

/wp-json/wp/v2/users

For /wp-json/ I am using Basic Authentication with an Application Password from WordPress’s Edit User screen.

Both ways authenticate me successfully. JWT returns a token and /wp-json/ shows me all the users on the system.

I’ve searched online and it seems the hook wp_login is not fired for native REST API calls however, the JWT plugin has a reference to the hook in their code. I think I may be using the wrong JWT login URL/method to login. Could you share with me your login flow (minus any sensitive data)?

Any help is appreciated,
Sully

Sorry @ss88_uk, authentication works fine. When you get the token then call any api endpoint and you will get your html page:

…
<p><strong>Account Protected</strong><p>
<p>This account has Two Factor Authentication (2FA) enabled.<br />Please check your email inbox (including Spam/Junk) for your unique login link.</p>
<p><small id="timertext">The unique link will expire in <span id="timer" data-minutes="15">15 minutes</span>.</small></p>
…

Just call /wp-json/wp/v2/posts with the bearer token and you will see it.

Hi @pixael,

Can you share your full settings for this third party plugin? I cannot get it to login with a JWT at all. I perform an /auth request which provides me a JWT and from there the REST does not let me in (Only authenticated users can access the REST API.).

When I attempt to validate the token to check it’s validity with /auth/validate the error I receive is Unable to find user property in JWT.

I can obviously implement the code, but without testing it, it could be a wasted push.

Just log-in sending a POST request to:
https://website.com/?rest_route=/simple-jwt-login/v1/auth
passing this in the body:
{
"username": "XXX",
"password": "XXX"
}
you will get the jwt back.

Then send a GET request to:
https://website.com/wp-json/wp/v2/posts
using the jwt token in the Bearer Token authorization header.

Instead of the post list, you should get your plugin html page.

Hi @pixael,

Thanks for responding. That’s exactly what I am doing. My error is:

Only authenticated users can access the REST API.

That’s why I was asking for your plugin settings as I must have something incorrect within it’s settings pages.

Oh yeah sorry ??
Please check out these 2 screenshots, I only have authentication enabled:
https://postimg.cc/gallery/c0hcDtv

Hi @pixael,

Thanks for sending those over. I have the same settings and I still can’t get it to work. It never authenticates against /wp-json/

I did find this bug and this bug, which has not been fixed, which could be the reason.

I’m going to have to shelve it for now until I can test someone else’s plugin. As WordPress does not block REST calls by default, this plugin will work, it’s just not compatible with your choice of third party plugin.

I’ll update you once I have tested another plugin against my code to bypass/allow REST calls, but it will be in about 3-4 weeks time.

Thanks,
Sully

Ok no worries, thanks for your time.