Open sbernard31 opened 8 years ago
tuupola
commented
8 years ago Since JWT token is basically a password and should be treated as such, it is not the best idea to pass it in query string. This middleware currently supports only Bearer header and cookie. That said if there is interest I can also add support for query string.
mateuslopes
commented
8 years ago Hi Tuupola! I also think it would be useful to have a way to pass tokens by query string. Not for production use, of course because of the same reasons you argue above, but for development I think it is kind of useful in some situations. Sometimes, I just want to test something in the browser, seeing results in the console or in the navigator itself, not using postman at all, but just accessing a JWT protected url in the browser directly.
Well, to overcome this situation, while slim-jwt-auth still does not support query string token, i did like this. In my Slim3 index.php public file, just before instantiating my \Slim\App or even my \Slim\Container I added these lines of code:
$token = (isset($_GET['token']) && !empty($_GET['token'])) ? trim($_GET['token']) : false;
if ($token){
$_SERVER["HTTP_AUTHORIZATION"] = "Bearer ".$token;
}
Well, the first thing JwtAuthentication looks for is the environment variable HTTP_AUTHORIZATION, so, in this case, the variable will be set correctly.
Note: This should be done before instantiating the App and Container because, once I start my application, the $request->getServerParams() does not change anymore. If I try to change $_SERVER["HTTP_AUTHORIZATION"] from inside any middleware, container or etc, it just ignores that change.
Well, maybe it should be useful to have support for a query string token, but it could also have an option to disable it for production or security purposes. ;)
HD-CMS
commented
8 years ago Hey, another point to allow passing the token as GET are users or companies that uses proxy servers that don´t support Authorization headers. Compare to the method override for RESTful Apis:
Sometimes this is because of a browser or client limitaton, sometimes it's a really tense corporate firewall. They wanted to know what they could do.
tuupola
commented
8 years ago @mateuslopes I just tested and with the following middleware you can pass token in the query string. It looks for GET parameter named token. If it exists it adds an Authorization: Bearer header based on that token. Note that you need to add this middleware after adding JwtAuthentication or it will not work.
$app = new \Slim\App();
$app->add(new \Slim\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub"
]));
$app->add(function($request, $response, $next) {
$token = $request->getQueryParams()["token"];
if (false === empty($token)) {
$request = $request->withHeader("Authorization", "Bearer {$token}");
}
return $next($request, $response);
});
sinuraya
commented
7 years ago We may need this to authtenciate request from websocket.
BenBao93
commented
4 years ago @tuupola Is there a way to adapt the snippet to work with SlimPHP V4? I tried to with the new handler interface but wasn't able to get any request to pass with the token in query string
I would like to create URL which contains token. So I would like to know if there is a way to do that by passing token as query parameters for example ?