Black list

README.md

@@ -159,15 +159,40 @@ The **jwt-auth** will intercept every call to the server and will look for the a
 
 If the token is valid, the API call flow will continue as always.
 
-## Whitelisting Endpoints
+## Whitelisting/Blacklisting Endpoints
 
-Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. 
+Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work.
+
+You can authorize all request API by returning -1 on `jwt_auth_whitelist` hook.
 
 If you're adding the filter inside theme and the whitelisting doesn't work, please create a small 1 file plugin and add your filter there.
 
+You can allow all requests with the `jwt_auth_whitelist` hook and you can block specific requests with the hook `jwt_auth_blacklist`
+
 ```php
 add_filter( 'jwt_auth_whitelist', function ( $endpoints ) {
 	$your_endpoints = array(
+		[ 
+			"method" => WP_REST_Server::READABLE,
+			"path" => '/wp-json/custom/v1/webhook2/*',
+		],
+		'/wp-json/custom/v1/webhook/*',
+		'/wp-json/custom/v1/otp/*',
+		'/wp-json/custom/v1/account/check',
+		'/wp-json/custom/v1/register',
+	);
+
+	return array_unique( array_merge( $endpoints, $your_endpoints ) );
+} );
+```
+
+```php
+add_filter( 'jwt_auth_blacklist', function ( $endpoints ) {
+	$your_endpoints = array(
+		[ 
+			"method" => WP_REST_Server::READABLE,
+			"path" => '/wp-json/custom/v1/webhook2/*',
+		],
 		'/wp-json/custom/v1/webhook/*',
 		'/wp-json/custom/v1/otp/*',
 		'/wp-json/custom/v1/account/check',

class-auth.php

@@ -658,8 +658,10 @@ public function determine_current_user( $user_id ) {
 					}
 
 					if ( ! $is_ignored ) {
-						if ( ! $this->is_whitelisted() ) {
+						if ( ! $this->is_listed( "whitelist" ) || $this->is_listed( "blacklist" ) ) {
 							$this->jwt_error = $payload;
+						}else{
+							$this->jwt_error = null;
 						}
 					}
 				}
@@ -675,15 +677,19 @@ public function determine_current_user( $user_id ) {
 	}
 
 	/**
-	 * Check whether or not current endpoint is whitelisted.
-	 *
+	 * Check whether or not current endpoint is whitelisted or blacklisted.
+	 * @param string $listType whitelist|blacklist
 	 * @return bool
 	 */
-	public function is_whitelisted() {
-		$whitelist = apply_filters( 'jwt_auth_whitelist', array() );
+	public function is_listed( $listType = "whitelist" ) {
+		$is_whitelist  = $listType == "whitelist";
+		$default_value = $is_whitelist ? array() : -1;
+		$list = apply_filters( 'jwt_auth_' . $listType, $default_value );
 
-		if ( empty( $whitelist ) || ! is_array( $whitelist ) ) {
+		if ( empty( $list ) ) {
 			return false;
+		}else if( $list === -1 ){
+			return $is_whitelist ? true : false;
 		}
 
 		$request_uri    = $_SERVER['REQUEST_URI'];
@@ -702,7 +708,7 @@ public function is_whitelisted() {
 		// Let's remove trailingslash for easier checking.
 		$request_uri = untrailingslashit( $request_uri );
 
-		foreach ( $whitelist as $endpoint ) {
+		foreach ( $list as $endpoint ) {
 			if ( is_array( $endpoint ) ) {
 				$method = $endpoint['method'];
 				$path   = $endpoint['path'];

readme.txt

@@ -146,15 +146,39 @@ The **jwt-auth** will intercept every call to the server and will look for the a
 
 If the token is valid, the API call flow will continue as always.
 
-## Whitelisting Endpoints
+## Whitelisting/Blacklisting Endpoints
 
-Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work. 
+Every call to the server (except the token creation some default whitelist) will be intercepted. However, you might need to whitelist some endpoints. You can use `jwt_auth_whitelist` filter to do it. Please simply add this filter directly (without hook). Or, you can add it to `plugins_loaded`. Adding this filter inside `init` (or later) will not work.
+You can authorize all request API by returning -1 on 'jwt_auth_whitelist' hook.
 
 If you're adding the filter inside theme and the whitelisting doesn't work, please create a small 1 file plugin and add your filter there.
 
+You can allow all requests with the 'jwt_auth_whitelist' hook and you can block specific requests with the hook 'jwt_auth_blacklist'
+
 `
 add_filter( 'jwt_auth_whitelist', function ( $endpoints ) {
 	$your_endpoints = array(
+		[ 
+			"method" => WP_REST_Server::READABLE,
+			"path" => '/wp-json/custom/v1/webhook2/*',
+		],
+		'/wp-json/custom/v1/webhook/*',
+		'/wp-json/custom/v1/otp/*',
+		'/wp-json/custom/v1/account/check',
+		'/wp-json/custom/v1/register',
+	);
+
+	return array_unique( array_merge( $endpoints, $your_endpoints ) );
+} );
+`
+
+`
+add_filter( 'jwt_auth_blacklist', function ( $endpoints ) {
+	$your_endpoints = array(
+		[ 
+			"method" => WP_REST_Server::READABLE,
+			"path" => '/wp-json/custom/v1/webhook2/*',
+		],
 		'/wp-json/custom/v1/webhook/*',
 		'/wp-json/custom/v1/otp/*',
 		'/wp-json/custom/v1/account/check',