Closed axlon closed 1 year ago
@axlon I'm curious - how does Passport expect the EncryptCookies middleware to be inactive when reading the JWT cookie. How does it actually enforce that in the code?
@taylorotwell it reads the cookie when trying to authenticate through the token guard, when it does this it decrypts the cookie similarly to how EncryptCookies
does (this implicitly relies on EncryptCookies
not being active, because if it was the cookie would have already been decrypted and trying to decrypt it again would cause an error):
This PR adds a new option to Passport to not decrypt the JWT cookie when authenticating.
Currently when dealing with the JWT cookie Passport's behaviour is this:
EncryptCookies
middleware to be active, and relies on it for encryptionEncryptCookies
middleware to be inactive, it decrypts the cookie on its ownBecause of this, implementing a middleware similar to Sanctum's EnsureFrontendRequestsAreStateful is currently not possible, as it will cause the JWT token to be decrypted twice.
Note that this PR does not contain any breaking changes, Passport's current behaviour stays the default behaviour. This PR only adds the option to opt-out of this behaviour.