Closed roman-briazgalov closed 5 years ago
@roman-briazgalov glad to hear you like it! It seems like you submitted the issue without the full description (not a problem) 😁
@roman-briazgalov glad to hear you like it! It seems like you submitted the issue without the full description (not a problem)
That's right. I pressed Ctrl+Enter accidentally. I will finish it in 10 minutes.
@lcobucci i have changed the first message. Check it please, if you have time.
@roman-briazgalov could you please send us a sample token and the values you're using to validate it? It's also important to mention that you're not verifying the signature of the token, which might allow people to change the token.
@lcobucci hI! Thanks for the fast reply!
Here is the sample of the token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjVkMTA1OTIzZjM1Njc4NGZlYzZmNWRiMiJ9.eyJpc3MiOiJwZGYubG9jIiwiYXVkIjoicGRmLmxvYyIsImp0aSI6IjVkMTA1OTIzZjM1Njc4NGZlYzZmNWRiMiIsInVzZXJfaWQiOiI1ZDEwNTkyM2YzNTY3ODRmZWM2ZjVkYjIifQ.JJPgjTJbDUXySieyEDzEMHY7XyEZrhuEFqiFvDtcxdM
And values for validating token: $host_name = pdf.loc $user_id = 5d105923f356784fec6f5db2
It's also important to mention that you're not verifying the signature of the token, which might allow people to change the token.
Oh! I didn't think about it. Thank you. I will read about it and try to add the signature verifying. I will post here about results.
@lcobucci it's OK for now! Thanks for putting me on the right way: i have added the signature verifying to the protected function validate and validator and it works good for now!
When i create token, i use function 'getToken':
protected function issue($request, $minutes)
{
$token = (new Builder())
->issuedBy($request->getHost())
->permittedFor($request->getHost())
->identifiedBy($request->user()->id, true)
->withClaim('user_id', Auth::id())
->getToken($this->signer, new Key(config('app.key')));
return $token;
}
In functions validate and validator i have added token verifying with the signature:
protected function validator()
{
$token = (new Parser)->parse($jwt);
$data = new ValidationData();
$data->setIssuer($host_name);
$data->setAudience($host_name);
$data->setSubject($user_id);
$signer = new Sha256();
if (! $token->verify($signer, config('app.key'))) // this part was added for vrifying the token with signature
return false;
return $token->validate($data);
}
After that the validation works properly: if i change the token - validator returns false.
I'm not sure my code is absolutely right, it just shows how i made the token validation.
So the problem is resolved!
Thanks for help, i close the issue.
@roman-briazgalov happy to know it helped!
Hi!
First of all, thank you very much for your lib. It's really simple to understand.
I have used JWT for REST API in my app. Then i had added WebSockets into the app and i decided to use JWT for socket connections too.
I use Laravel 5.8, PHP 7.3. JWT works well in JWTMiddleware for REST API requests.
The working scheme for sockets and JWT:
SocketAuthHandler.php
My problem is: This function always returns TRUE. I changed JWT manually before sending to the server and this function returns TRUE anyway.
The same function is used in the JWTMiddleware, that works with REST API requests:
JWTMiddleware.php
But this one works correctly: returns TRUE with valid token and returns FALSE if the token is not valid.
I logged $host_name and $user_id that are used in these two functions, they are absolutely the same.
So could you please help me to resolve this problem? What should i check more to find the reason?
Please, let me know if i missed something in my description of the problem.