I'm struggling to work out the culprit, but I am also using gesdinet/jwt-refresh-token-bundle
I have a problem where I login (using FOSUserBundle as a provider as well although it doesn't matter if I use the entity users or the in memory users). I then logout and remove the token.
If I enter new (valid or invalid) information into my login field again, then the authentication process is as expected. However, if after logout out, I revisit the login form and input no username or password, I'm logged back in as the same user as before. The token is returned (with a refresh token as I'm using the bundle mentioned above).
I am not submitting the refresh_token again (and that's an entirely separate process in my system as the refresh_token is not stored in the browser, and is sent to get a new token with ExpressJS)
I will continue to try and find out where the issue is, but after a while of trying I thought it was worth raising an issue here.
I did try putting in the logout on the firewall, but of course that's not going to do anything as stateless is true.
Any help or advice would be greatly appreciated.
security.yml
# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
FOS\UserBundle\Model\UserInterface:
algorithm: bcrypt
cost: 12
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
# https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
providers:
chain_provider:
chain :
providers: [in_memory, fos_userbundle]
fos_userbundle:
id: fos_user.user_provider.username
in_memory:
memory:
users:
user: { password: user, roles: [ 'ROLE_USER' ] }
admin: { password: admin, roles: [ 'ROLE_ADMIN' ] }
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
form_login:
check_path: /login_check
require_previous_session: false
success_handler: lexik_jwt_authentication.handler.authentication_success
# We want failure to return back to the controller so we can reply with the same form in structure of other forms and display errors without additional code
# failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/
stateless: true
# These paths are accessed by users and admins - security added per controller/action
anonymous: true
logout:
path: /logout
invalidate_session: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
I'm struggling to work out the culprit, but I am also using gesdinet/jwt-refresh-token-bundle
I have a problem where I login (using FOSUserBundle as a provider as well although it doesn't matter if I use the entity users or the in memory users). I then logout and remove the token.
If I enter new (valid or invalid) information into my login field again, then the authentication process is as expected. However, if after logout out, I revisit the login form and input no username or password, I'm logged back in as the same user as before. The token is returned (with a refresh token as I'm using the bundle mentioned above).
I am not submitting the refresh_token again (and that's an entirely separate process in my system as the refresh_token is not stored in the browser, and is sent to get a new token with ExpressJS)
I will continue to try and find out where the issue is, but after a while of trying I thought it was worth raising an issue here.
I did try putting in the
logout
on the firewall, but of course that's not going to do anything as stateless is true.Any help or advice would be greatly appreciated.
security.yml
config.yml