Open adrienrn opened 5 years ago
Hello !
You can decode the token in the onAuthenticationSuccessResponse
listener by getting the JWTEncoder service and using its decode()
method as you can see below:
class JWTListener
{
private $decoder;
public function __construct( JWTEncoderInterface $decoder )
{
$this->decoder = $decoder;
}
public function onAuthenticationSuccessResponse(AuthenticationSuccessEvent $event)
{
$data = $event->getData();
$payload = $this->decoder->decode( $data[ 'token' ] );
}
}
Hope it helped ;)
Hi there,
I'm implementing astateless CSRF protection. This is a pattern listed by Owasp and implemented by Angular using the
X-XSRF-TOKEN
.To do so, I've been using three events,
oyo42
for the sake of the example.Set-Cookie
header.X-XSRF-TOKEN
containing theoyo42
.The problem is the
onAuthenticationSuccessResponse
does not have access to the payload of the token, only the JWT as a string and the user. I inspected the code, but I did not see any way of making it available,My current workaround is to store the payload in my listener;
Working but not elegant at all. Forgive the one-liners too in the snippet above, its a demo/proof-of-concept.
Idea 1: I feel that the
create()
method is doing two things; creating the token and encoding it; if there were two methods:create()
returning an object and theencode()
returning a string like today.Do you feel it could be something interesting to implement in this bundle ?
Idea 2: Another way I did not experimented would be this article, splitting the token in two cookies (
{header}.{payload}
and{signature}
) and have a listener before the guard authenticator to concatenate the two which seems quite clever to me!Thanks a lot, :bowing_man: