Closed ilyavlasoff closed 3 years ago
I am not aware of the consequences. Just remove the line $this->password = null;
from the method User::eraseCredentials
and it works.
I had the same problem. ;)
I was debugging the same issue when using refresh token Doctrine entity with MySQL. As for Symfony 7, when AuthenticationManager (vendor/symfony/security-http/Authentication/AuthenticatorManager.php:204) erases user credentials (default behavior), user entity is marked as modified in Doctrine UnitOfWork.
Later, when refresh token is persisted, flush() is also called.
public function save(RefreshTokenInterface $refreshToken, $andFlush = true)
{
$this->objectManager->persist($refreshToken);
if ($andFlush) {
$this->objectManager->flush();
}
}
Flush checks for all UOW entity updates, so modified user entity (with NULL password) is also persisted.
I am not aware of the consequences. Just remove the line
$this->password = null;
from the methodUser::eraseCredentials
and it works.
We can also add a parameter to services.yaml:
parameters:
...
security.authentication.manager.erase_credentials: false
so User::eraseCredentials will not be called.
However, this is not the best way to go IMHO. Keeping sensitive data in user object after authentication is complete exposes it to the rest of request cycle code and user password may leak to a response (e.g.) if there is an error at a later time.
As far as I see, all this stuff happens in package code. We know that user entity should never change when a refresh token is generated and persisted.
Can we do something to detach user from UOW right before flushing refresh token update? What side effects it may cause?
Another option might be to refresh (\Doctrine\ORM\EntityManager::refresh) user before we persist refresh token, so it might be excluded from flush flow.
Hi! I'm using MongoDB as database for storing Users and I've faced a problem while using JWTRefreshTokenBundle. When new a account is created and API client tries to get JWT token and refresh token using his credentials, the password field in database becomes null. When I use LexikJWTAuthenticationBundle without JWTRefreshTokenBundle the problem does not appear.
Here is example:
After calling /api/v1/reg a new document is created in database, client successfully receives JWT and refresh token.
While calling /api/v1/auth, it seems that everything is fine: client receives generated JWT and refresh token, but after this password field in this user document becomes null. Request /api/v1/auth
{ "username": "test@test.com", "password": "test_password" }
Response:{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE2MTY2MDcxMzcsImV4cCI6MTYxNjYxMDczNywicm9sZXMiOlsiUk9MRV9JREVOVElGSUVEIl0sInVzZXJuYW1lIjoidGVzdEB0ZXN0LmNvbSJ9.PW77WTNX9lQz6AK50hKWCibe0CezcvKB2kpg5RAtQncsoUAvNTnJyu2I_Fz_83anqBL7cjEvHvOps2D_HksyV2YR5vo-7hVoMRUHl6xFGcUXYrQInJtygXn8a3S5-2NfGe-Ry6AfdYajszcUghxTLLiz9gKmfpHvN0MWQUlH0d6VQqxC3bp3VOiW7z-JEtI-Dqob6NUe0zwFxum0CCDrEInQ2vsMe6QJvmrNVBaoEts2yPZFVUDKEjER5c6IROP7cbNbEt-8e3G78B1kGUktk-GgBmC9c6zamtuA9lFRGfGai84IIvp2pyRokLXx7ayp8qlCCbvkI77Xl0U-AE8gVA","refresh_token":"7e5d45de0a73f94cefd9e9de4e830e2191269f49f6fb61beda89109f711921202158cd22dcc8fa396155bc739d341101fa86d5373f3124daf74caa4fe6c642ed"}
MongoDB:So the next login attempt fails.
{"code":401,"message":"Invalid credentials."}
My configuration: security.yaml
gesdinet_jwt_refresh_token.yaml
debug:config gesdinet_jwt_refresh_token
User is pretty standard:
composer.json