WP License Manager / JWT Authorization - HELP?

CyberGen

Hi,

I'm going down the License Manager Rabt hole. A little help?

I've set up WP License Manager and JWT authorization. I'm trying to write a simple script that would check the user credentials and respond with a token. But all I get from the server is "500" and the authentication fails. It's string, not an object like I expect. I tried a number of things to no avail.

I was hoping someone that has gone down this path can shed some light. It would much appreciate the help. Below is the code I'm using in hise. I included the snippet as well, though to use it you'd have to put in your own server and user info.

Find the corrected code below.

d.healey

@CyberGen Before trying to get it to work in HISE, test with Hoppscotch or RestFox

https://hoppscotch.io/
https://restfox.dev/

CyberGen

@d-healey this was a good suggestion. Hoppscotch revealed some config errors. However, I'm still getting the same response in HISE ("500") and hoppscotch gives me this:

{
  "code": "jwt_auth_invalid_token",
  "message": "Wrong number of segments",
  "data": {
    "status": 403
  }
}

I've followed the installations instructions and done the following:

• WP REST API V2 Plugin: Installed and activated.
• PHP Version: Ensured your server is running PHP 7.4.0 or higher.
• HTTP Authorization Header: Modified the .htaccess file to enable the HTTP Authorization header.
• Secret Key Configuration: Added the JWT_AUTH_SECRET_KEY to your wp-config.php file.
• CORS Support: Enabled CORS by adding the JWT_AUTH_CORS_ENABLE line in wp-config.php.
• Plugin Activation: Ensured the wp-api-jwt-auth plugin is activated.

Still stuck.

Any suggestions?

Dan Korneff

@CyberGen JWT contains 3 parts, separated by dots(Header, Payload, Signature).
My guess is that when you receive the token you're dropping the dots.

orange

@CyberGen

Are you using Wordfence or similar firewall plugin on the Wordpress? If yes, make sure that API calls are allowed.

In the Wordfence, the below setting must be unchecked.

Prevent discovery of usernames through '/?author=N' scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps 

CyberGen

@Dan-Korneff Yes, chatGPT had mentioned something similar. How/Where can I find out if I'm "dropping the dots"?

CyberGen

@orange Thanks for this suggestion. I don't have wordfence installed. But I asked their tech support if I had any other plugins installed that could block API calls. They suggested uninstalling W3 Cache. Which I did, but did not solve the problem.

CyberGen

@CyberGen Tech support revealed that log errors showed problems with the guttenberg theme. Which I proceeded to uninstall and replace with their default theme..... Still, the problem was not solved. They opened up a ticket and said they would try to work the problem from their end. I must say Nexcess' tech support is fast and good. Hopefully they find the problem if it is on their end. I wish I knew enough to be sure is not something I'm doing wrong in HISE.

CyberGen

@CyberGen @d-healey @orange @Dan-Korneff

Hi again fellas,

I've got things to work almost all the way. I will share the final code for future reference when the final issue is resolved. So far, the token is downloading properly and validation is working. License activation works but, the signature is still giving me trouble.

If I don't set a private key in the license manager API page, HISE's console gives me: "signature": "private key not set". But if set a key made with HISE's RSA key generator, it gives me: "signature": "error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length"

I tried different private key configs and algo configs, same result. Can someone share the proper settings for the License Manager API private key? Or the right length? or an app the generates the right format of key?

d.healey

@CyberGen I'm not using the REST API so I can't help you here.

CyberGen

@CyberGen

This worked for me.

1. Generate an RSA Key Pair
   Open a terminal or command prompt.

Run the following command to generate a private key:

openssl genrsa -out private.pem 2048

Extract the public key from the private key:

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

2. View the Keys
   If you want to see what your generated keys look like, you can display them using the cat command:

cat private.pem
cat public.pem

3. When setting the private key in WP License Manager API include:
   -----BEGIN RSA PRIVATE KEY-----
   and
   -----END RSA PRIVATE KEY-----

That should take care of it.

CyberGen

@CyberGen

I leave this here cuz, nobody ELSE should spend a week of their lives figuring this out. :anxious_face_with_sweat:

The code below works for me doing the following.

User Authentication:
Set up credentials for JWT token generation and sent a POST request to the /wp-json/jwt-auth/v1/token endpoint to authenticate and receive a JWT.

Token Handling:
The received JWT is used for subsequent requests to ensure each request is authenticated.

Token Validation:
The token is validated by sending it back to the server, ensuring it's valid and active before proceeding with any sensitive operations.

License Activation:
Post-token validation, we proceed to activate the license using the license key and other necessary details, which are then verified by the server.

// Server Address
Server.setBaseURL("https://yourserver.com");

// Credentials for authentication
const var credentials = 
{
  "username": "you@yourserver.com",
  "password": "yourpassword"
}

// Relevant references
const var authUrl = "/wp-json/jwt-auth/v1/token";
const var validateUrl = "/wp-json/jwt-auth/v1/token/validate";
const var activateUrl = "/wp-json/wclm/v3/activate";

reg jwtToken = "";

// Some debug stuff
Console.clear();
if (Server.isOnline()) Console.print("Server is Online!" + "\n");
Console.print("Authorization URL: " + authUrl);
Console.print("Validate URL: " + validateUrl);
Console.print("Activate URL: " + activateUrl + "\n");

// Authenticate and retrieve token
inline function authenticateUser() 
{
    Console.print("Starting authentication process...");
        
    Server.callWithPOST(authUrl, credentials, printResponse);
};

inline function printResponse(status, response) 
{
    Console.print("Received response: " + JSON.stringify(response));
    
    if (response.token != "") 
    {
        jwtToken = response.token;
        
        validateToken();
    } 
    else 
    {
        Console.print("Authentication failed: " + response.message);
    }
};

// Validate the JWT token
inline function validateToken() 
{
	Console.print("atempting to validate");

    if (jwtToken != "") 
    {
        Server.setHttpHeader("Authorization: Bearer " + jwtToken);

        Server.callWithPOST(validateUrl, {}, function(status, response) 
        {
            Console.print("Validation response: " + JSON.stringify(response));

            if (response.code == "jwt_auth_valid_token") 
            {
                Console.print("Token is valid!");
                
                activateLicense();
            } 
            else 
            {
                Console.print("Token validation failed: " + response.message);
            }
        });
    } 
    else 
    {
        Console.print("No JWT token found.");
    }
}

// License activation details
const var licenseData = 
{
    "license_key": "your-prod-key-lic"
};

// Activate the license
inline function activateLicense() 
{
    Console.print("Starting license activation..." + licenseData.license_key);

    // Set the Authorization header with the JWT token
    Server.setHttpHeader("Authorization: Bearer " + jwtToken);

    // Send the POST request to activate the license
    Server.callWithPOST(activateUrl, licenseData, handleActivationResponse);

};

// Function to handle the response from license activation
inline function handleActivationResponse(status, response)
{
	Console.print(response.signature);
	
    if (response["response"]["result"] == "success") 
    {
        Console.print(response["response"]["message"] + "!");
    } 
    else 
    {
        Console.print(response["response"]["message"] + "!");
    }
};

// Example: Trigger authentication when a button is clicked
inline function onButton1Control(component, value) 
{
    if (value) authenticateUser();
}
Content.getComponent("Button1").setControlCallback(onButton1Control);

alhug

@CyberGen nice, thanks. Our shop doesn't use wordpress so I'm building an authentication system using my own bubble app. This helped a lot setting up the plugin side of things.

CyberGen

@CyberGen A list of License Manager API endpoints. Might be useful for those using the License Manager API.

Base Endpoint:
/wclm/v3
Methods: GET
Description: Base route for the wclm/v3 namespace.
Verify License:
/wclm/v3/verify
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for verifying a license.
Activate License:
/wclm/v3/activate
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for activating a license.
Deactivate License:
/wclm/v3/deactivate
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for deactivating a license.
Get License Details:
/wclm/v3/get-license-details
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for retrieving the details of a license.
Get Product API Meta:
/wclm/v3/get-product-api-meta
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for retrieving product API metadata.
Get License Status:
/wclm/v3/get-license-status
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for retrieving the status of a license.
Get Current User Licenses:
/wclm/v3/get-current-user-licenses
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for retrieving licenses associated with the current user.
Register License Key:
/wclm/v3/register-license-key
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for registering a new license key.
Set License Status:
/wclm/v3/set-license-status
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for setting the status of a license.
Create License Key:
/wclm/v3/create-license-key
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for creating a new license key.
Update License Key:
/wclm/v3/update-license-key
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for updating an existing license key.
Delete License Key:
/wclm/v3/delete-license-key
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for deleting a license key.
Add License Key Meta:
/wclm/v3/add-license-key-meta
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for adding metadata to a license key.
Update License Key Meta:
/wclm/v3/update-license-key-meta
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for updating metadata associated with a license key.
Delete License Key Meta:
/wclm/v3/delete-license-key-meta
Methods: GET, POST, PUT, PATCH, DELETE
Description: Endpoint for deleting metadata associated with a license key.