wp-graphql · jasonbahl · Jul 19, 2019
diff --git a/src/Auth.php b/src/Auth.php
@@ -527,7 +527,7 @@ public static function validate_token( $token = null, $refresh = false ) {
 			 * @since 0.0.1
 			 */
 			if ( empty( $auth_header ) ) {
-				return false;
+				return $token;
 			} else {
 				/**
 				 * The HTTP_AUTHORIZATION is present verify the format
@@ -542,52 +542,60 @@ public static function validate_token( $token = null, $refresh = false ) {
 		 * If there's no secret key, throw an error as there needs to be a secret key for Auth to work properly
 		 */
 		if ( ! self::get_secret_key() ) {
-			throw new \Exception( __( 'JWT is not configured properly', 'wp-graphql-jwt-authentication' ) );
+			self::set_status( 403 );
+			return new \WP_Error( 'invalid-secret-key', __( 'JWT is not configured properly', 'wp-graphql-jwt-authentication' ) );
 		}
 
+
+
 		/**
-		 * Try to decode the token
+		 * Decode the Token
 		 */
-		try {
+		JWT::$leeway = 60;
 
-			/**
-			 * Decode the Token
-			 */
-			JWT::$leeway = 60;
+		$secret = self::get_secret_key();
 
-			$secret = self::get_secret_key();
+		try {
 			$token = ! empty( $token ) ? JWT::decode( $token, $secret, [ 'HS256' ] ) : null;
+		} catch ( \Exception $exception ) {
+			$token =  new \WP_Error( 'invalid-secret-key', $exception->getMessage() );
+		}
 
-			/**
-			 * The Token is decoded now validate the iss
-			 */
-			if ( ! isset( $token->iss ) || get_bloginfo( 'url' ) !== $token->iss ) {
-				throw new \Exception( __( 'The iss do not match with this server', 'wp-graphql-jwt-authentication' ) );
-			}
+		/**
+		 * If there's no token listed, just bail now before validating an empty token.
+		 * This will treat the request as a public request
+		 */
+		if ( empty( $token )  ) {
+			return $token;
+		}
 
-			/**
-			 * So far so good, validate the user id in the token
-			 */
-			if ( ! isset( $token->data->user->id ) ) {
-				throw new \Exception( __( 'User ID not found in the token', 'wp-graphql-jwt-authentication' ) );
-			}
+		/**
+		 * The Token is decoded now validate the iss
+		 */
+		if ( ! isset( $token->iss ) || get_bloginfo( 'url' ) !== $token->iss ) {
+			$token = new \WP_Error( 'invalid-jwt', __( 'The iss do not match with this server', 'wp-graphql-jwt-authentication' ) );
+		}
 
-			/**
-			 * If there is a user_secret in the token (refresh tokens) make sure it matches what
-			 */
-			if ( isset( $token->data->user->user_secret ) ) {
 
-				if ( Auth::is_jwt_secret_revoked( $token->data->user->id ) ) {
-					throw new \Exception( __( 'The User Secret does not match or has been revoked for this user', 'wp-graphql-jwt-authentication' ) );
-				}
+		/**
+		 * So far so good, validate the user id in the token
+		 */
+		if ( ! isset( $token->data->user->id ) ) {
+			$token = new \WP_Error( 'invalid-jwt', __( 'User ID not found in the token', 'wp-graphql-jwt-authentication' ) );
+		}
+
+		/**
+		 * If there is a user_secret in the token (refresh tokens) make sure it matches what
+		 */
+		if ( isset( $token->data->user->user_secret ) ) {
+
+			if ( Auth::is_jwt_secret_revoked( $token->data->user->id ) ) {
+				$token = new \WP_Error( 'invalid-jwt', __( 'The User Secret does not match or has been revoked for this user', 'wp-graphql-jwt-authentication' ) );
 			}
+		}
 
-			/**
-			 * If any exceptions are caught
-			 */
-		} catch ( \Exception $error ) {
+		if ( is_wp_error( $token ) ) {
 			self::set_status( 403 );
-			return new \WP_Error( 'invalid_token', __( 'The JWT Token is invalid', 'wp-graphql-jwt-authentication' ) );
 		}
 
 		self::$is_refresh_token = false;

diff --git a/wp-graphql-jwt-authentication.php b/wp-graphql-jwt-authentication.php
@@ -176,6 +176,21 @@ private static function init() {
 				'filter_determine_current_user'
 			], 99, 1 );
 
+			/**
+			 * When the GraphQL Request is initiated, validate the token.
+			 *
+			 * If the Auth Token is not valid, prevent execution of resolvers. This will also set the
+			 * response status to 403.
+			 */
+			add_action( 'init_graphql_request', function() {
+				$token = Auth::validate_token();
+				if ( is_wp_error( $token ) ) {
+					add_action( 'graphql_before_resolve_field', function() use ( $token ) {
+						throw new \Exception( $token->get_error_code() . ' | ' . $token->get_error_message() );
+					}, 1 );
+				}
+			} );
+
 			/**
 			 * Filter the rootMutation fields
 			 */