Authorization Header conflicts with protected sites #7
Comments
|
I created a fork whith this implementation and a pull request: |
|
Hi @pesseba , that PR was already merged few months ago. |
|
Looks like it all works fine when it comes to changing the auth header variable name - I've just used this in a project on Kinsta with a staging website (example below) But I'm running into a problem now with actually getting an auth token in the first place... If I send through the following curl request (yes, the username + password in the form data are valid...) I end up with an invalid username error. Presumably it's trying to use the username/password from the basic auth instead of the form data - as when I create a wordpress user with the username+password the same as the HTTP auth, the request starts to work... |
|
If I understood well, you are trying to get a token with username and password, but you are sending the Authorization header too. Try to remove Authorization header in this call. The jwt-auth/v1/token call requires only two body parameters (username and password). |
|
Ah but if I do this then the staging site nginx auth takes over and gives me a |
|
I understood now. I work in this same way in staging environment and this problem not happen with me. |
|
Are you using |
Hi, the HTTP_AUTHORIZATION header can conflict with page protection header parameter, like in WPEngine hosting, per example. This kind of page protection is usefull for sites under construction, staging and development environments with no external access.
Please, could you create a filter to change the header key used. Something like this:
$headerkey = apply_filters('jwt_auth_authorization_header', 'HTTP_AUTHORIZATION'); $auth = isset( $_SERVER[$headerkey] ) ? $_SERVER[$headerkey] : false;The text was updated successfully, but these errors were encountered: