search

jorge07 / symfony-6-es-cqrs-boilerplate

Symfony 6 DDD ES CQRS backend boilerplate.
MIT License
1.07k stars 187 forks source link

JWT token was not found #177

Closed abelardolg closed 4 years ago

abelardolg commented 4 years ago

Hi there,

  1. I created a new user.
  2. I logged in with that recently new user.
  3. I sent several data from a form.
  4. These form data were received by a GET controller. When I checked out this form was valid, then
  5. I redirected from this GET controller to a POST API controller, but
  6. It returned the "JWT token was not found" message.

I think a JWT token was created since I could logged in with my user.

Is not enough to login with my user to get a valid JWT token?

What's wrong?

Best regards.

abelardolg commented 4 years ago

I have deeply navigated through your code and I think the JWT token is generated with the GetTokenHandler (as its proper name indicates).

Could you gently tell me if I am correctly doing it?:

  1. In each UI-web-controller, I receive form data.
  2. I redirect each request to a specific rest-controller.
  3. Inside the rest-controller, I create a session object in order to get the user session.
  4. Inside the returned object of the session object, an user, an email is found.
  5. With the user's email, I retrieve the JWT Token by creating a "getTokenQuery" query and send it towards bus query to retrieve the token.
  6. I have to add it into the header part of the request object to execute the command.

I would like to know if I am wrong with this roadmap, thanks.

Best regards.

jorge07 commented 4 years ago

In theory that was a feature, not a bug. Here the explanation:

Web and Api are different areas for the security component. Even if you can share the user provider between those two, still different areas with different auth methods. See here https://github.com/jorge07/symfony-5-es-cqrs-boilerplate/blob/master/config/packages/security.yaml#L35 https://github.com/jorge07/symfony-5-es-cqrs-boilerplate/blob/master/config/packages/security.yaml#L43

Is up to you to change this behavior depending of your use case or context of your application. For example, if I'm building a site with symfony and twig, I'll probably

1- Not use an /api/ area and just keep thing done with the proper verbs like it's done in SignuUpController. 2- If want to use the api for whatever reason and use the same auth mechanism, just simply modify the security config to include api in your secure area and delete the other one.

I hope you find this helpful

jorge07 commented 4 years ago

Closing :)