Spent some time reviewing and testing this and it works well. Didn’t run into any issues getting it to work. Awesome work!
From a security standpoint, I don’t see any obvious issues but I see some potential for improvements.
Restrict capabilities that can be performed through the jwt token
I see that the approach taken here is very flexible and basically allows the creation of JWT token with any WP capabilities.
However, I wonder if that’s really necessary. If FRONTITY_JWT_AUTH_KEY
is leaked, it means that an attacker will be able to craft an arbitrary JWT token with any capability he wants, essentially gaining full control of the WP website through a feature that was built to add preview support. Unless we are trying to build an alternative authentication mechanism to the REST API, I’d suggest we change the approach a bit.
My suggestion here is to take capabilities
and allowed_methods
out of the JWT payload and replace with a type=preview
. Then when reading the token we validate the token and by checking the type we perform the necessary checks for allowed_methods and which capabilities we need to change in order to make that request successful. So even if the auth key is leaked, it would only expose the preview
feature.
We should also check if this token was generated by Frontity, either by checking the supported types or adding a “frontity signature” to it. Just to make sure we don’t try to read an token generated with SECURE_AUTH_KEY
for other purposes.
Minor: Avoid using glob to load files
In frontity-embedded.php
the PoC is using glob to include the files in php-jwt
, it’s preferable to just hardcode the files (or use an autoloader).
$jwt_files = array(
'BeforeValidException.php',
'ExpiredException.php',
'JWK.php',
'JWT.php',
'SignatureInvalidException.php',
);
// Load php-jwt classes.
foreach ( $jwt_files as $filename ) {
require_once plugin_dir_path( __FILE__ ) . '/includes/php-jwt/' . $filename;
}
Another potential but minor issue is that it is just going to include any files in that folder, which would give attackers a new way of running malicious code if they manage to upload a file to that folder.