JWT Authentication for WP REST API By Enrique Chavez, Not work

[hadi-aj]

Prerequisites

• I have carried out troubleshooting steps and I believe I have found a bug.
• I have searched for similar bugs in both open and closed issues and cannot find a duplicate.

Describe the bug

Hi
I use the JWT Authentication for WP REST API plugin to authenticate users. This plugin initially examines that the REST_REQUEST is defined, otherwise it will not perform validation. REST_REQUEST constant is defined in WordPress and Woocommers, but not in Cocart.

Expected behavior

Authenticate users!

Actual behavior

Not Authenticate users!

Steps to reproduce

1. Install JWT Authentication for WP REST API.
2. Log in user by /wp-json/jwt-auth/v1/token.
3. Call /wp-json/cocart/v2/cart/add-item with token to add an item to cart.
4. Call /wp-json/cocart/v2/cart to get cart items.

Items is Empty.

WordPress Environment

`

WordPress Environment

WordPress address (URL):
Site address (URL):
WC Version:
REST API Version: ✔ 7.7.1
WC Blocks Version: ✔ 10.0.5
Action Scheduler Version: ✔ 3.5.4
Log Directory Writable: ❌ To allow logging
make writable or define a custom WC_LOG_DIR.

WP Version:
WP Multisite: –
WP Memory Limit: ❌ - We recommend setting memory to at least 64MB. See: Increasing memory allocated to PHP
WP Debug Mode: –
WP Cron: –
Language:
External object cache: –

Server Environment

Server Info:
PHP Version: - ❌ WooCommerce will run under this version of PHP
however
some features such as geolocation are not compatible. Support for this version will be dropped in the next major release. We recommend using PHP version 7.2 or above for greater performance and security. How to update your PHP version

PHP Post Max Size:
PHP Time Limit:
PHP Max Input Vars:
cURL Version:
SUHOSIN Installed: –
Max Upload Size:
Default Timezone is UTC: ❌ Default timezone is - it should be UTC
fsockopen/cURL: ❌ Your server does not have fsockopen or cURL enabled - PayPal IPN and other scripts which communicate with other servers will not work. Contact your hosting provider.
SoapClient: ❌ Your server does not have the SoapClient class enabled - some gateway plugins which use SOAP may not work as expected.
DOMDocument: ❌ Your server does not have the DOMDocument class enabled - HTML/Multipart emails
and also some extensions
will not work without DOMDocument.

GZip: ❌ Your server does not support the gzopen function - this is required to use the GeoIP database from MaxMind.
Multibyte String: ❌ Your server does not support the mbstring functions - this is required for better character encoding. Some fallbacks will be used instead for it.
Remote Post: ❌ wp_remote_post() failed. Contact your hosting provider.
Remote Get: ❌ wp_remote_get() failed. Contact your hosting provider.

Database

WC Database Version:
WC Database Prefix:
Database information:: Unable to retrieve database information. Usually
this is not a problem
and it only means that your install is using a class that replaces the WordPress database class (e.g.
HyperDB) and WooCommerce is unable to get database information.

Security

Secure connection (HTTPS): ❌
Your store is not using HTTPS. Learn more about HTTPS and SSL Certificates.
Hide errors from visitors: ❌Error messages should not be shown to visitors.

Active Plugins (0)

Inactive Plugins (0)

Settings

API Enabled: –
Force SSL: –
Currency: ()
Currency Position:
Thousand Separator:
Decimal Separator:
Number of Decimals:
Taxonomies: Product Types:
Taxonomies: Product Visibility:
Connected to WooCommerce.com: –
Enforce Approved Product Download Directories: –
HPOS feature screen enabled: –
HPOS feature enabled: –
Order datastore:
HPOS data sync enabled: –

WC Pages

Theme

Name:
Version:
Author URL:
Child Theme: ❌ – If you are modifying WooCommerce on a parent theme that you did not build personally we recommend using a child theme. See: How to create a child theme
WooCommerce Support: ❌ Not declared

Templates

Overrides: –

Admin

Enabled Features: activity-panels
analytics
coupons
customer-effort-score-tracks
import-products-task
experimental-fashion-sample-products
shipping-smart-defaults
shipping-setting-tour
homescreen
marketing
mobile-app-banner
navigation
onboarding
onboarding-tasks
remote-inbox-notifications
remote-free-extensions
payment-gateway-suggestions
shipping-label-banner
subscriptions
store-alerts
transient-notices
woo-mobile-welcome
wc-pay-promotion
wc-pay-welcome-page

Disabled Features: product-block-editor
minified-js
new-product-management-experience
product-variation-management
settings

Daily Cron: ✔ Next scheduled: 2023-06-20 05:18:10 +00:00
Options: ✔
Notes: 83
Onboarding: completed

Action Scheduler

Complete: 113
Oldest: 2023-05-22 10:15:30 +0000
Newest: 2023-06-19 15:32:13 +0000

Failed: 10
Oldest: 2023-04-03 05:25:10 +0000
Newest: 2023-06-06 20:01:55 +0000

Pending: 3
Oldest: 2023-06-20 13:31:02 +0000
Newest: 2023-06-20 13:31:02 +0000

CoCart

Version: 3.8.1
Database Version: 3.8.1
Install Date: May 28
2023

Carts in Session: 40
Carts Active: 40 out of 40 in session.
Carts Expiring Soon: 0 out of 40 in session.
Carts Expired: 0 out of 40 in session.
Carts Source (by CoCart): 38
Carts Source (by Web): 2
Carts Source (by Other): 0

Status report information

Generated at: 2023-06-19 17:15:24 +00:00
`

Isolating the problem

• I have deactivated other plugins (excluding any related to the issue) and confirmed this bug occurs when only CoCart plugin is active.
• I can reproduce this bug consistently using the steps above.

[seb86]

Hey @hadi-aj

I don't fully understand what you mean that CoCart does not define REST_REQUEST. Are you saying that simply registering the API controllers for CoCart is not enough? Please explain if you can.

I've had a mix of feedback with this plugin where it works and does not. Mostly due to not setting up authentication headers to be approved.

I think I might be dropping support for this plugin as I have my own JWT plugin specifically for CoCart. Last CoCart update v3.8.1 was to support it.

But if you can find where REST_REQUEST is needed to make this JWT plugin work, please push a fix.

Thank you for reporting the issue.

[hadi-aj]

Hi
WordPress defines this constant in the rest_api_loaded function in the wp-includes/rest-aapi.php file, which is implemented when calling pars_request, and this is also defined in Woocommerce when Rest request. In the this JWT plugin in the determine_current_user function to identify a Rest request, the existence of this constant is checked and this plugin does not work because it is not defined in Cocart.

I defined this constant in the setup_constants method in the Cocart class and the problem was solved, and it also worked for the exam at the .../jwt-auth-by-useful-team/class-cocart-plugin-jwt-auth.php.

Thank you for your awesome plugin.

[seb86]

@hadi-aj Yes WordPress defines REST_REQUEST as true when rest_api_loaded is called which is why any REST API including custom controllers registered like WooCommerce and CoCart work.

If you define REST_REQUEST when CoCart is setting up constants then WordPress is going to assume your doing a REST API request all the time which will not help you.

I think the issue is not defining again REST_REQUEST but the priority order JWT needs to change when it is checking the current user via determine_current_user which is at the default 10.

WooCommerce hooks at priority 15 and CoCart hooks at priority 16.

[hadi-aj]

Yes you are right. We should not define REST_REQUEST manualy.

After about 10 hours debugging, I think I found the problem, in the CoCart_REST_API class wc_load_cart() is called in the maybe_load_cart method, but the user is not identified due to the lack of REST_REQUEST (what is checked in the JWT plugin).

I moved this method to the pars_request hook and the problem was resolved.

add_action( 'parse_request', array( $this, 'maybe_load_cart' ), 0 );

[seb86]

I already said it's a load order of determine_current_user. So really it needs unhooking and rehooking later.

[seb86]

Completely forgot this issue was still open. Just tested the JWT plugin and it works with no changes made where you suggested. Closing for now.