Basic Auth on login form breaks API when Simple JWT installed

  • Earthman Media

    (@earthman100)


    1 year, 6 months ago

    Hello, I really hope you can help me with this please.

    We have your plugin working for all cases, however we like to harden our production site’s wp-admin login form to protect against hacking, by having a first layer of .htaccess basic auth installed. We have it set so that the login form is protected by a .htpasswd credential, different from the ones in WordPress

    However…

    When enabling this, as soon as someone is logged in, then all wp-json rest api endpoints become disabled, making all endpoints show the error “Username ‘(BasicAuthUsername) does not exist!”, even for endpoints that normally are open to the public!

    Even if we add the user to the WP admin, then we get “Wrong number of segments” error, still on endpoints that are normally not protected, even core WordPress ones!

    This seems to be a bug, or at least an oversight, but I am not sure…I welcome your feedback – Is there a way around this please?

    Here is the example of the .htaccess entry that hardens our login form, only:

    
SetEnvIf Request_URI !"^/wp-login.*" noauth
SetEnvIf Request_URI "^/wp-login.*$" private
AuthName "Password Needed"
AuthType Basic
AuthUserFile "/opt/bitnami/.htpasswd"
Require valid-user
Order Deny,Allow
Deny from env=private
Allow from env=noauth
Satisfy any

    If we can’t work around this, we will probably choose to use another plugin, which we don’t want to do, because yours works well for everything, except this.

    Do you have any suggestions, please, to help?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nicu_m

    (@nicu_m)

    1 year, 6 months ago

    Hello @earthman100,

    I’ve added the .htaccess code into my testing environment and all seems to work OK for me.

    For example, I was able to call and get a 200 status code

    
curl  -s -X POST "$HOST/?rest_route=/simple-jwt-login/v1/auth&username=$USERNAME&password=$PASSWORD"

    Also, I’ve tested with the wp-json and all was ok.

    
curl -s -X POST "$HOST/wp-json/simple-jwt-login/v1/auth/refresh" -H "Authorization: Bearer $JWT"


My .htaccess looks like this:

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

SetEnvIf Request_URI !"^/wp-login.*" noauth
SetEnvIf Request_URI "^/wp-login.*$" private
AuthName "Password Needed"
AuthType Basic
AuthUserFile "/var/www/html/.htpasswd"
Require valid-user
Order Deny,Allow
Deny from env=private
Allow from env=noauth
Satisfy any

    `

    I’m using the latest plugin version 3.4.7. What plugin version are you using?

    Can you please give me an example on how you do the request and how do you send the JWT?

    Best regards,
    Nicu.

    Thread Starter Earthman Media

    (@earthman100)

    1 year, 5 months ago

    Hi Nicu,

    Thanks for your reply, and for taking the time to test – sorry for the delay with my reply.

    I have confirmed that this occurs when the following conditions are met:

    – Fresh Installation of WordPress, using LocalWP
    – Using theme: Twenty Twenty-Three
    – Attempting ngrok tunnel access, using a LocalWP “Live Link” (which requires Basic Auth)

    Installed Plugins:
    – Simple-JWT-Login (ver 3.4.8)
    – Woocommerce (7.1.0)

    Here is a video repro of the steps I took, detailed below…
    https://drive.google.com/file/d/1mGUqFulbJUTOuFcxcUzEXAWYCh5NXgAT/view?usp=sharing

    After I installed the settings, shown in the video, into the JWT plugin, the wp-admin became unresponsive, with the following error shown at the end of the output:

    
{"success":false,"data":{"message":"Wrong number of segments","errorCode":2,"type":"simple-jwt-login-middleware"}}

    This is the problem we have been having on our live site, as well, whenever I try to access any query like get_posts, etc, in the front or backend.

    Here are the settings I used in JWT (as exported by the WP-CFM plugin):

    {
    "simple_jwt_login_settings": "{\"allow_authentication\":\"1\",\"jwt_payload\":[\"exp\",\"email\",\"id\",\"site\",\"username\"],\"jwt_auth_ttl\":\"60\",\"jwt_auth_refresh_ttl\":\"20160\",\"auth_ip\":\"\",\"auth_requires_auth_code\":false,\"cors\":{\"enabled\":0,\"allow_origin_enabled\":false,\"allow_origin\":\"*\",\"allow_methods_enabled\":false,\"allow_methods\":\"GET, POST, PUT, DELETE, OPTIONS, HEAD\",\"allow_headers_enabled\":false,\"allow_headers\":\"*\"},\"allow_delete\":false,\"require_delete_auth\":true,\"delete_ip\":\"\",\"delete_user_by\":0,\"jwt_delete_by_parameter\":\"\",\"route_namespace\":\"simple-jwt-login\\\/v1\\\/\",\"jwt_algorithm\":\"HS256\",\"decryption_source\":\"0\",\"decryption_key\":\"oipwejflsdj;flhso8fou-240ifru9yw0epirhos;ea[ofi;jewlf\",\"decryption_key_base64\":false,\"decryption_key_public\":\"\",\"decryption_key_private\":\"\",\"request_jwt_url\":1,\"request_jwt_cookie\":0,\"request_jwt_header\":1,\"request_jwt_session\":0,\"api_middleware\":{\"enabled\":true},\"request_keys\":{\"url\":\"JWT\",\"session\":\"simple-jwt-login-token\",\"cookie\":\"simple-jwt-login-token\",\"header\":\"Authorization\"},\"enabled_hooks\":[],\"jwt_login_by\":0,\"jwt_login_by_parameter\":\"email\",\"allow_autologin\":true,\"redirect\":10,\"redirect_url\":\"\",\"login_fail_redirect\":\"\",\"require_login_auth\":false,\"include_login_request_parameters\":true,\"allow_usage_redirect_parameter\":true,\"login_ip\":\"\",\"allow_register\":true,\"new_user_profile\":\"customer\",\"register_ip\":\"\",\"register_domain\":\"\",\"require_register_auth\":false,\"random_password\":false,\"register_force_login\":true,\"register_jwt\":true,\"allowed_user_meta\":\"\",\"allow_reset_password\":true,\"reset_password_requires_auth_code\":false,\"jwt_reset_password_flow\":2,\"jwt_email_subject\":\"test\",\"jwt_reset_password_email_body\":\"SGVyZSBpdCBpcyB7e0NPREV9fQ==\",\"jwt_email_type\":0,\"reset_password_jwt\":true,\"protect_endpoints\":{\"enabled\":0,\"action\":2,\"protect\":[\"\\\/wp\\\/v2\\\/users\",\"\"],\"whitelist\":[\"\",\"\"]},\"auth_codes\":[{\"code\":\"12345678910\",\"role\":\"customer\",\"expiration_date\":\"2030-12-23 23:34:59\"}],\"auth_code_key\":\"AUTH_KEY\"}",
    ".label": "JWT"
}

    I had not set any settings for Woocommerce. After setting those settings in JWT, when I tried to access /wp-admin – I get the error noted

    Can you please review and let me know if you can reproduce? This is a bit of a thorn in my side right now, and I would like to work with you to fix it, if possible.

    Thanks!
    Terrance

    Thread Starter Earthman Media

    (@earthman100)

    1 year, 4 months ago

    Hi @nicu_m

    This just stopped me in my tracks when wanting to do some testing today

    Any ideas yet on how to get around this conflict with your plugin and Woocommerce?

    T

    Thread Starter Earthman Media

    (@earthman100)

    1 year, 3 months ago

    Hi @nicu_m – Have you been able to reproduce this as in the video I provided?

    Looking forward to hearing your thoughts on this conflict with woocommerce, thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Basic Auth on login form breaks API when Simple JWT installed’ is closed to new replies.

Tags