In order to get token i post following request:
http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD
and in response i get token – that’s nice, but… what if i don’t want to show username and login in requested URL, even a single time.
Everyone who can see my computer requests can catch my login and password easily. Can I somehow hide this sensitive data in request headers instead of url parameters? I’m using “Chrome Insomnia” App to test REST api and next to PARAMS and HEADERS there is an AUTH tab where i can type username and password – maybe that is the place i could use to send user data to get access token without beeing seen easily?
I tried to login using AUTH tab, but in response:
{
"code": "jwt_auth_bad_auth_header",
"message": "Authorization header malformed.",
"data": {
"status": 403
}
}
Please don’t send me back to wp-api documentaion because i couldn’t find a clear answer by reading the docs there.
Use OAuth.
It is a secure way to authorize yourself on a REST-Api without having to send your username and password as plain text.
The WP-API documentation has a section called OAuth Authentication. The API uses OAuth 1.0. Basically you have to install the OAuth-Plugin, then generate a Client which automatically gets a Key and a Secret assigned. You can use this pair for a secure authentification.
You can find more detailed information in the link I gave above, it is fairly simple to implement.
To answer your original question on how you can keep people from seeing your passwords in Insomnia, it is recommended that you put sensitive data in an environment variable and reference it in your request.
You can define your environment JSON like this…
And reference them in the params tab (or anywhere else) using Nunjucks template syntax like
{{ username }}
and{{ password }}
.Here’s a link to the docs on Environment Variables inside Insomnia.
~ Gregory
Although I agree OAuth (Really OpenID Connect) is a better solution,
USE HTTPS.
Since the SSL/TLS is performed before you make the request, it will be encrypted over the network.