403 Not Returned

[miguelocarvajal]

Hello!

When running a query with an expired/invalid JWT token, I get the "Internal Server Error" which is fine, but do not get the 403 HTTP code.

This is problematic because determine the cause of the error on the client side now turns into parsing strings (and even that is vague because the error is generic with debugging turned off).

I looked through the code and found the problem to be validate_token:

wp-graphql-jwt-authentication/src/Auth.php

Line 589 in 6f4c18a

return new \WP_Error( 'invalid-jwt', __( 'The iss do not match with this server', 'wp-graphql-jwt-authentication' ) );

wp-graphql-jwt-authentication/src/Auth.php

Line 596 in 6f4c18a

return new \WP_Error( 'invalid-jwt', __( 'User ID not found in the token', 'wp-graphql-jwt-authentication' ) );

wp-graphql-jwt-authentication/src/Auth.php

Line 605 in 6f4c18a

return new \WP_Error( 'invalid-jwt', __( 'The User Secret does not match or has been revoked for this user', 'wp-graphql-jwt-authentication' ) );

These lines are returning a WP_Error and not setting the status code on line 610.

Was this done for a specific reason I am missing?

[toriphes]

Hello!
Not receiving the correct message and http status code makes it difficult for the frontend to interpret the error.

For now on the frontend I check if the token has expired and refresh it if necessary. This approach becomes difficult when dealing with users from different time zones.

I believe that each graphql request with a JWT that for some reason is not valid must always response with the 401 status code, giving the frontend the possibility to request a new authToken.

I don't know if there is a specific reason for this behavior. Maybe @jasonbahl, who did an amazing job with this plugin, can clarify the doubt.