search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.32k stars 1.54k forks source link

Required Claims not being checked #1189

Open williamcolbert opened 7 years ago

williamcolbert commented 7 years ago

I noticed that the expiration checks and required claims were not being enforced. I generated a token that only included the following payload

{
  "sub": 1
}

And then used the following code to retrieve the authenticated user: 

 try {

            if (! $user = JWTAuth::parseToken()->authenticate()) {
                return response()->json(['user_not_found'], 404);
            }

        } catch (TokenExpiredException $e) {

            return response()->json(['token_expired'], $e->getStatusCode());

        } catch (TokenInvalidException $e) {

            return response()->json(['token_invalid'], $e->getStatusCode());

        } catch (JWTException $e) {

            return response()->json(['token_absent'], $e->getStatusCode());

        }

        // the token is valid and we have found the user via the sub claim
        return response()->json(compact('user'));

Expected Result: I expected a token_invalid exception to be thrown, because the payload didn't include the required claims. But I actually get the user's database record

Configuration:

Using: jwt-auth: 1.0.0.beta.3 laravel: 5.4

app.php includes : Tymon\JWTAuth\Providers\LaravelServiceProvider::class,

Route:

Route::group(['prefix' => 'user', 'middleware' => 'jwt.auth'], function(){
        Route::get('/', 'UserController@getUserInfo');
        Route::get('reports', 'UserController@getReports');
 });

Auth Config: 

    /*
    |--------------------------------------------------------------------------
    | Authentication Defaults
    |--------------------------------------------------------------------------
    |
    | This option controls the default authentication "guard" and password
    | reset options for your application. You may change these defaults
    | as required, but they're a perfect start for most applications.
    |
    */

    'defaults' => [
        'guard' => 'api',
        'passwords' => 'users',
    ],

    /*
    |--------------------------------------------------------------------------
    | Authentication Guards
    |--------------------------------------------------------------------------
    |
    | Next, you may define every authentication guard for your application.
    | Of course, a great default configuration has been defined for you
    | here which uses session storage and the Eloquent user provider.
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | Supported: "session", "token"
    |
    */

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'jwt',
            'provider' => 'users',
        ],
    ],

Config jwt.php

  /*
    |--------------------------------------------------------------------------
    | Required Claims
    |--------------------------------------------------------------------------
    |
    | Specify the required claims that must exist in any token.
    | A TokenInvalidException will be thrown if any of these claims are not
    | present in the payload.
    |
    */

    'required_claims' => [
        'iss',
        'iat',
        'exp',
        'nbf',
        'sub',
        'jti',
    ],
lorenzowoodridge commented 7 years ago

I'm having the same issue as well because we wanted to get rid of the nbf claim. We've resulted to editing the source code.

lorenzowoodridge commented 6 years ago

Ran into this issue again (probably our 5th or so time) with another developer on my team and I figured this would have been fixed by now