diff --git a/README.md b/README.md index 54a622d..c79cd24 100644 --- a/README.md +++ b/README.md @@ -159,15 +159,40 @@ The **jwt-auth** will intercept every call to the server and will look for the a If the token is valid, the API call flow will continue as always. -## Whitelisting Endpoints +## Whitelisting/Blacklisting Endpoints -Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. +Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. + +You can authorize all request API by returning -1 on `jwt_auth_whitelist` hook. If you're adding the filter inside theme and the whitelisting doesn't work, please create a small 1 file plugin and add your filter there. +You can allow all requests with the `jwt_auth_whitelist` hook and you can block specific requests with the hook `jwt_auth_blacklist` + ```php add_filter( 'jwt_auth_whitelist', function ( $endpoints ) { $your_endpoints = array( + [ + "method" => WP_REST_Server::READABLE, + "path" => '/wp-json/custom/v1/webhook2/*', + ], + '/wp-json/custom/v1/webhook/*', + '/wp-json/custom/v1/otp/*', + '/wp-json/custom/v1/account/check', + '/wp-json/custom/v1/register', + ); + + return array_unique( array_merge( $endpoints, $your_endpoints ) ); +} ); +``` + +```php +add_filter( 'jwt_auth_blacklist', function ( $endpoints ) { + $your_endpoints = array( + [ + "method" => WP_REST_Server::READABLE, + "path" => '/wp-json/custom/v1/webhook2/*', + ], '/wp-json/custom/v1/webhook/*', '/wp-json/custom/v1/otp/*', '/wp-json/custom/v1/account/check', diff --git a/class-auth.php b/class-auth.php index 420e09d..765eebb 100644 --- a/class-auth.php +++ b/class-auth.php @@ -658,8 +658,10 @@ public function determine_current_user( $user_id ) { } if ( ! $is_ignored ) { - if ( ! $this->is_whitelisted() ) { + if ( ! $this->is_listed( "whitelist" ) || $this->is_listed( "blacklist" ) ) { $this->jwt_error = $payload; + }else{ + $this->jwt_error = null; } } } @@ -675,15 +677,19 @@ public function determine_current_user( $user_id ) { } /** - * Check whether or not current endpoint is whitelisted. - * + * Check whether or not current endpoint is whitelisted or blacklisted. + * @param string $listType whitelist|blacklist * @return bool */ - public function is_whitelisted() { - $whitelist = apply_filters( 'jwt_auth_whitelist', array() ); + public function is_listed( $listType = "whitelist" ) { + $is_whitelist = $listType == "whitelist"; + $default_value = $is_whitelist ? array() : -1; + $list = apply_filters( 'jwt_auth_' . $listType, $default_value ); - if ( empty( $whitelist ) || ! is_array( $whitelist ) ) { + if ( empty( $list ) ) { return false; + }else if( $list === -1 ){ + return $is_whitelist ? true : false; } $request_uri = $_SERVER['REQUEST_URI']; @@ -702,7 +708,7 @@ public function is_whitelisted() { // Let's remove trailingslash for easier checking. $request_uri = untrailingslashit( $request_uri ); - foreach ( $whitelist as $endpoint ) { + foreach ( $list as $endpoint ) { if ( is_array( $endpoint ) ) { $method = $endpoint['method']; $path = $endpoint['path']; diff --git a/readme.txt b/readme.txt index 56225e2..d7ba7ff 100644 --- a/readme.txt +++ b/readme.txt @@ -146,15 +146,39 @@ The **jwt-auth** will intercept every call to the server and will look for the a If the token is valid, the API call flow will continue as always. -## Whitelisting Endpoints +## Whitelisting/Blacklisting Endpoints -Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. +Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. +You can authorize all request API by returning -1 on 'jwt_auth_whitelist' hook. If you're adding the filter inside theme and the whitelisting doesn't work, please create a small 1 file plugin and add your filter there. +You can allow all requests with the 'jwt_auth_whitelist' hook and you can block specific requests with the hook 'jwt_auth_blacklist' + ` add_filter( 'jwt_auth_whitelist', function ( $endpoints ) { $your_endpoints = array( + [ + "method" => WP_REST_Server::READABLE, + "path" => '/wp-json/custom/v1/webhook2/*', + ], + '/wp-json/custom/v1/webhook/*', + '/wp-json/custom/v1/otp/*', + '/wp-json/custom/v1/account/check', + '/wp-json/custom/v1/register', + ); + + return array_unique( array_merge( $endpoints, $your_endpoints ) ); +} ); +` + +` +add_filter( 'jwt_auth_blacklist', function ( $endpoints ) { + $your_endpoints = array( + [ + "method" => WP_REST_Server::READABLE, + "path" => '/wp-json/custom/v1/webhook2/*', + ], '/wp-json/custom/v1/webhook/*', '/wp-json/custom/v1/otp/*', '/wp-json/custom/v1/account/check',