search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.28k stars 1.54k forks source link

Refresh middleware #1584

Open davidoskay opened 6 years ago

davidoskay commented 6 years ago

Subject of the issue

I'm using middleware('auth:api', ['except' => ['login']]) in constructor as provided in jwt wiki. As I good undestand JWT I should be able to refresh token without having valid token, but the token should be valid only for refresh (because Refresh TTL is longer than normal token TTL) - but if I use this middleware I can't refresh token after normal TTL pass, because it says 'Unauthorized' even though the TTL for refresh didn't pass.

Shouldn't the middleware be set to except ['refresh'] too?

Your environment

Q A
Bug? yes
New Feature? no
Framework Laravel
Framework version 5.6
Package version 1.0.0
PHP version 7.2

Steps to reproduce

Use middleware('auth:api', ['except' => ['login']]) in AuthController

Expected behaviour

Token refresh without being authorized, just the token check

Actual behaviour

Can't refresh token without having valid normal ttl token

bauersfeld commented 6 years ago

I'm having the same issue. It appears that the config setting for refresh_ttl is not being respected by the refresh method. Any recommendation on how to refresh an expired token that has not exceed the refresh_ttl setting?

davidoskay commented 6 years ago

@bauersfeld no reply from developers, so for now my solution is as I wrote: $this->middleware('auth:api', ['except' => ['login', 'refresh']]);

ifreesec commented 6 years ago

Don't use any middleware. I just use next controller

<?php

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use Tymon\JWTAuth\Exceptions\TokenBlacklistedException;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;

class RefreshController extends Controller
{
    public function refresh()
    {
        try {
            return auth()->refresh();
        } catch (TokenExpiredException $e) {
            //Do something 
            return $e->getMessage();
        } catch (TokenBlacklistedException $e) {
            return $e->getMessage();
        } catch (\Exception $e) {
            return $e->getMessage();
        }
    }
}
stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.