search

PHP-Open-Source-Saver / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
MIT License
729 stars 113 forks source link

Auth::check() passed with invalidated token. #205

Closed chris-lee-lb closed 1 year ago

chris-lee-lb commented 1 year ago

Subject of the issue

Describe your issue here.

Your environment:

Q A
Bug? yes
New Feature? no
Framework Laravel
Framework version 9.45.1
Package version 2.0.0
PHP version 8.1.13

Steps to reproduce

Just Call Auth::setToken($token)->check()

Expected behaviour

Invalidated token Should not be passed.

Actual behaviour

Invalidated token Should has been passed.

Some Research

Looks like when we called class PHPOpenSourceSaver\JWTAuths function check(), we actually called trait Illuminate\Auth\GuardHelperss function check(), which is not include the blacklist checks.

chris-lee-lb commented 1 year ago

Or maybe we should add blacklist checks at class PHPOpenSourceSaver\JWTAuth\Validators\TokenValidator.

Messhias commented 1 year ago

I didn't understand your issue, please edit your post and provide the details in a deep explanation. Thanks.

chris-lee-lb commented 1 year ago

@Messhias Sorry, my fault. Looks like I should use Auth::setToken($token)->logout(); to do proper logout, which not Auth::setToken($token)->invalidate();

Because invalidate() will not clear up user instance inside JWTGuard, so the following call Auth::setToken($token)->check() will still be true.

PS : my use case is in one phpunit test case.