-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deleted user can still authenticate #24
Comments
Well, I guess the token contains the email, and that is used as the security principal.... if the email is the same, the token still validates and has no awareness (nor it needs to have) of the user ID. I don't see this as a security concern, to be honest... let's see what the author thinks. |
In my case, both Probably there is no comparison between token fields and fields returned from the WordPress function that searches for a user by email. |
I agree with @dani3l3. This is how this plugin works ( search a user by the payload). I believe that, if you invalidate the JWT after you delete the user, will solve your issue. This way, you can make sure that the JWT generated by this user, will not be valid to access the newly created user. Also, you can set an expiration time, for the JWTs. But, I would suggest you use the ID instead of the email. |
Bug Description
test@example.com
jwt1
jwt2
Since user IDs have changed, I expect the
jwt1
to be marked as invalid. In fact, both tokens can be used to access protected endpoints.Environment
Other installed plugins (optional)
Additional Context (optional)
The text was updated successfully, but these errors were encountered: