search

tuupola / slim-jwt-auth

PSR-7 and PSR-15 JWT Authentication Middleware
https://appelsiini.net/projects/slim-jwt-auth
MIT License
821 stars 140 forks source link

Strange Behaviour #214

Closed sinuraya closed 2 years ago

sinuraya commented 2 years ago

I already inclue a path in the ignore rule:

    return new JwtAuthentication([
        "secure" => true,
        "path" => "/",
        "ignore" => [
            "/api/v1.0/notification",
            ...
            ],
          ]);

and then I call it with:

curl --location --request POST 'https://example.com/api/v1.0/notification' \
--header 'Timestamp: 2021-08-26T09:40:48.818Z' \
--header 'Content-Type: application/json' \
--data-raw '{
    "id":"8888001256798654"
}'

and it works as expected.

but when I call it with:

curl --location --request POST 'https://example.com/api/v1.0/notification' \
--header 'Timestamp: 2021-08-26T09:40:48.818Z' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer KTfB234UfOhaaIHOg0AdcM9VgDt3L8LO57' \
--data-raw '{
    "id":"8888001256798654"
}'

then I got an error as if the endpoint get authenticated.

What I really need is a consistent behavior, that the midlleware will ignore the Authorization header when the endpoint is in the ignore list.

sinuraya commented 2 years ago

I found that this issue is not valid. I thought it is a strange behavior but I forgot that the request is passing through an API Gateway. Sorry for creating irrelevant issue. Thank you for the great library.