Fix: Basic Authentication -> jwt_auth_bad_auth_header error

ouija
(@ouija)

4 years, 5 months ago
Hey,

Just wanted to share my experience with using this plugin recently, and some challenges that arose in doing so.

First off, I discovered that I was having issues prior to using this plugin with Basic Authentication failing due to using PHP-FPM / FastCGI(with PHP 7.2) (using https), and that I had to add the following to my Apache config (or .htaccess file):

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Without this, the Authorization headers weren’t being passed to the php pages because having PHP-FPM enabled prevents this.

Secondly, I discovered that when I had the JWT Authentication for WP REST API plugin enabled (along with PHP-FPM), I was getting this jwt_auth_bad_auth_header (Authorization header malformed.) error when simply using Basic Authentication.

If I disabled PHP-FPM, this error was gone, but I would rather have this enabled, so I did a little debugging… I found that if I also passed the Bearer token with the Basic Authentication, then this error was gone.

So, I opted to edit the /jwt-authentication-for-wp-rest-api/public/class-jwt-auth-public.php file to automatically set the Bearer token if Basic Authentication was being performed and the token was missing, simply by adding the following if statement after the list($token) = sscanf($auth, 'Bearer %s'); at line 250:
```
if (!$token) {
            // Get token using basic auth
            list($username, $password) = explode( ':', base64_decode( substr( $auth, 6 ) ) );
            $request = new WP_REST_Request( 'POST', '/wp-json/jwt-auth/v1/token' );
            $request->set_param( 'username', $username );
            $request->set_param( 'password', $password );
            $JWT = new Jwt_Auth_Public('jwt-auth', '1.1.0');
            $token = $JWT->generate_token( $request );
            if (is_array($token) && isset($token['token'])) $token = $token['token'];
            return;
        }
```
Note that I did NOT replace the original if (!$token) statement at this line, but added this additional statement before it, which will set the token for you IF/WHEN Basic Authentication is being performed, so that you don’t have to pass a token as well when doing so.

This fixed the jwt_auth_bad_auth_header error that I was getting when using Basic Auth without passing a token, which again does work when I have FastCGI / PHP-FPM (libapache2-mod-fcgid) disabled, so I don’t think this is a security risk, but let me know your thoughts if you feel otherwise? 🙂

I’m just happy to have found a solution to re-enable Basic Authentication while also supporting JWT / Bearer Tokens as well.

Hope this helps anyone else looking to achieve the same thing!

Which may be a solution to: https://wordpress.org/support/topic/error-with-authorization-header-malformed/ and https://wordpress.org/support/topic/error-authorization-header-malformed-jwt_auth_bad_auth_header/
- This topic was modified 4 years, 5 months ago by ouija.

Viewing 1 replies (of 1 total)

colind
(@colind)

4 years, 4 months ago

Thanks Ouija! That solved the same issue for me. I would love the opinion of the plugin author or others with better security chops than I to chime in on this.

Viewing 1 replies (of 1 total)

The topic ‘Fix: Basic Authentication -> jwt_auth_bad_auth_header error’ is closed to new replies.

Tags