Plugin Validates Tokens for Deleted Users | ww.wp.xz.cn

dominic_ks
(@dominic_ks)

7 years, 3 months ago
Hello,

Thanks for the plugin, am using it on a couple of new projects and seems to be working well for me.

One issue I have encountered though is that the /token/validate/ route seems to return a successful response even if the user that generated it no longer exists.

I had a quick look and it does seem that there is no check for this.

I have patched my copy of the plugin with this check and thought I’d drop it here in case you wanted to include it in a future version:

Update in: /public/class-jwt-auth-public.php after line 298 I added:
```
//check if this user is actually a user...
if( ! get_user_by( 'ID' , $token->data->user->id ) ) {
    return new WP_Error(
        'jwt_auth_invalid_user',
         __('User ID does not belong to an active user', 'wp-api-jwt-auth'),
         array(
          'status' => 403,
         )
    );
}
```
Cheers!

The topic ‘Plugin Validates Tokens for Deleted Users’ is closed to new replies.

0 replies
1 participant
Last reply from: dominic_ks
Last activity: 7 years, 3 months ago
Status: not resolved