search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.31k stars 1.54k forks source link

auth()->id() returns the value of the JWT 'sub' attribute, rather than User model's $primaryKey #1802

Open rel0aded opened 5 years ago

rel0aded commented 5 years ago

Subject of the issue

When using the JWTAuth guard auth()->id() (which is used by various packages, such as wildside\userstamps when setting the created_by field in https://github.com/WildSideUK/Laravel-Userstamps/blob/master/src/Listeners/Creating.php) return the value set in the 'sub' attribute of the JWT rather than model's primaryKey.

This breaks using an incremental 'id' value as the server-side primary key, cross-referenced as the foreign key on other tables, but also using a public facing UUID value in the JWT.

Your environment

Q A
Bug? yes
New Feature? no
Framework Laravel
Framework version 5.8.11
Package version 1.0.0-rc.4.1
PHP version 7.2.10

Steps to reproduce

Create a model with both id and uuid attributes. Keep protected $primaryKey = 'id';

Add three methods to the User model:

/**
  * Get the identifier that will be stored in the subject claim of the JWT.
  *
  * @return mixed
  */
public function getJWTIdentifier()
{
    return $this->uuid;
}

/**
  * The key name to use as the JWT's subject
  * 
  * @return string
  */
public function getAuthIdentifierName()
{
    return 'uuid';
}

/**
  * Return a key value array, containing any custom claims to be added to the JWT.
  *
  * @return array
  */
public function getJWTCustomClaims()
{
    return [
    ];
}

Issue a valid JWT token for the user, and execute the following closure

Route::get('/test', function () {
        \JWTAuth::parseToken()->authenticate();
        dd(auth()->id());
    });

Behaviour

I'd expect auth()->id() to be 1 (the primaryKey of User); instead I get the UUID of the user back.

dd(auth()->id()); "00000000-0000-0000-0000-000000000000"

dd(Auth::id()); "00000000-0000-0000-0000-000000000000"

dd(Auth::user()->id); 1

dd(Auth::user()->getKey()); 1

rel0aded commented 5 years ago

This may be a bug in Wildside\Userstamps instead, if it's decided that auth()->id() is working as intended here.

I have temporarily resolved this in my code by overriding each model's registerListeners() method, and using my own Listener methods to return auth() ->user() -> id instead.

I still think this is a bug in jwt-auth though, I can see other libraries using the same call, presuming it to be the model's primaryKey. However, I am happy to raise a bug report there instead, once I have a definite answer this is intended behaviour.

adiletmaks commented 5 years ago

I have to no problems. I use Laravel Framework 5.8.35

stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.