Since Doctrine Common 3.0, Common was split into smaller packages.

Actually in RefreshTokenManager you inject Doctrine\Common\Persistence\ObjectManager in constructor.

Since Doctrine Common 3.0, Doctrine\Common\Persistence\ObjectManager became Doctrine\Persistence\ObjectManager.

Hi @markitosgv

I created support for refresh token in cookie. Cookie is also automatically extracted. Cookie is by default httpOnly, thus cannot be read by JS and it's safe against XSS attack.

Hello, I'm new in symfony and and try to set HWTRefreshTokenBundle with JTW Lexik. In jwt I have own Entity

namespace SharedBundle\Security;

final class User implements \Lexik\Bundle\JWTAuthenticationBundle\Security\User\JWTUserInterface
{
    private $username;
    private $roles;
    private $name;
    
    public function __construct($username, array $roles, $email, $name)
    {
        $this->username = $username;
        $this->roles = $roles;
        $this->email = $email;
        $this->name = $name;
    }
    
    public static function createFromPayload($username, array $payload)
    {
        return new self(
            $username,
            $payload['roles'], // Added by default
            $payload['email'],  // Custom
            $payload['name']
        );
    }

 /**
     * {@inheritdoc}
     */
    public function getUsername()
    {
        return $this->username;
    }
    /**
     * {@inheritdoc}
     */
    public function getName()
    {
        return $this->name;
    }
    /**
     * {@inheritdoc}
     */
    public function getRoles()
    {
        return $this->roles;
    }
 ...

In listener I add custom data:

public function onJWTCreated(JWTCreatedEvent $event) {
    $request = $this->requestStack->getCurrentRequest();

    $payload = $event->getData();
    $user = $event->getUser();
    
    $payload['name'] = $user->getName();
    $payload['email'] = $user->getEmail();
    $payload['ip'] = $request->getClientIp();

    $event->setData($payload);
  }

But when I try to refresh token I get error:

[Mon May 29 22:07:36 2017] 127.0.0.1:56078 [200]: /api/token/refresh
[Mon May 29 22:13:52 2017] PHP Fatal error:  Call to undefined method Symfony\Component\Security\Core\User\User::getName() in .../application/be/src/SharedBundle/EventListener/JWTCreatedListener.php on line 33
Segmentation fault

When I throw email and name from payload token is created but without this data, and return only default role ROLE_USER without ROLE_ADMIN.

I'tried to use refresh_token_entity: SharedBundle\Security\User but without result :/ How can I implemet additional fields in payload?

I get refresh token but when I call jwt refresh path response is 500 (Class gesdinet.jwtrefreshtoken does not exist. (500 Internal Server Error)) composer.json

`"require"` : {
		"php" : ">=7.1",
		"symfony/symfony" : "3.4.*",
		"doctrine/orm" : "^2.5",
		"doctrine/doctrine-bundle" : "^1.6",
		"doctrine/doctrine-cache-bundle" : "^1.3",
		....
                "lexik/jwt-authentication-bundle": "^2.4",
		"gesdinet/jwt-refresh-token-bundle": "^0.5.2"
	},`

the configuration is identical to the documentation, anyone can help?

Hello there! 👋

I've been testing the "cookie" option of this bundle, lately. This is awesome and it works great! 🎉 It avoids having to store the token on the client side and expose it to creepy people.

However, I notice 2 usability issues with this:

1. When the user logs out from the SPA, client just destroys the access token and the user gets redirected to the login page. Fine. problem is, since client has not access to the refreshToken anymore, it can no longer destroy it. This means that next call to the refresh token route will log the user in, even if they wanted to logout, because the cookie is still here 😓

2. Since the refreshToken is no longer the client's business, 2 different users can't be logged in within the same browser. I usually have an "admin" tab and a "customer" tab. Since both share the same cookie (same API), as soon as I sign in as a customer, I get kicked from the admin tab once this one asks for a new token.

Regarding 1: how about the following flow:

# Refresh current token
POST /api/token/refresh
Cookie: refreshToken=myCurrentRefreshToken

HTTP/2 200 OK
Set-Cookie: refreshToken=someOtherRefreshToken, expires=in one week

# Revoke that token
DELETE /api/token/refresh
Cookie: refreshToken=someOtherRefreshToken

HTTP/2 200 OK
Set-Cookie: refreshToken=, expires=right now

Regarding 2... I have no real idea on how to address this. Thoughts?

When upgrading from Symfony 4.2 to 4.3, the mappings did not work correctly anymore and I got errors like 'Property "refreshToken" does not exist in class "Gesdinet\JWTRefreshTokenBundle\Entity\RefreshToken"'

Downgrading the refresh token bundle to v0.3.3 seems to work fine

It seems doctrine .yml mappings will be deprecated, see: https://github.com/doctrine/DoctrineBundle/issues/776 maybe that's the cause? (the downgraded bundle still uses annotations)

The current implementation to refresh JWT tokens is not safe. When a user presents a refresh token, the only check that occurs is whether the user provider can load the user. If a user is loadable, it is granted a new access token.

But the authenticator should also check if the loaded user is still allowed to access the application. For example, users that implement the AdvancedUserInterface should be checked whether their account is enabled, is not locked and is not expired. Other means of authentication may have other requirements (e.g. for OAuth accounts, check whether the correct permissions are still present).

Currently, this bundle will happily give out new access tokens to users who have been disabled, expired, etc.

I think there should be some way to hook into the authenticator to provide this logic. Or perhaps the authenticator in this bundle should delegate authentication to some other authentication provider.

Currently I am using a compiler pass to overwrite the authenticator provided in this bundle with my own. That's a bit of a hackish solution.

The latest release 1.0 is showing problem in Symfony 6.0 dependency.

gesdinet/jwt-refresh-token-bundle v1.0.0 requires symfony/deprecation-contracts ^2.1 -> found symfony/deprecation-contracts[v2.1.0, ..., v2.5.0] but the package is fixed to v3.0.0 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.

I want refresh the token by token or refresh_token if token is expired.but symfony not has any middleware like laravel.So,if token is expired ,it will dispatch a event named JWTExpiredEvent and return a response from that event.But how to return the old response like /users/me,/articles/create after I refresh_token in JWTExpiredEvent event? Not by send refresh token uri by frontend My code

  public function onJWTExpired(JWTExpiredEvent $event)
    {
        $event->setResponse($this->autoRefreshToken($event, [
            'code' => '50008',
            'message' => self::$errorMessages['error-token']
        ]));
    }
    protected function autoRefreshToken(JWTFailureEventInterface $event, $errorData = [])
    {
        $encoder = new JsonEncoder();
        $errorData['code'] = $errorData['code'] ?? 50002;
        $errorData['message'] = $errorData['message'] ?? 'Bad credentials.';
        /** @var JWTAuthenticationFailureResponse $response */
        $response = $event->getResponse();
        $this->setRefreshTokenFromRequestHeaders($encoder);
        /** @var JWTAuthenticationSuccessResponse|JWTAuthenticationFailureResponse $result */
        $result = $this->RefreshToken->refresh($this->request);

        if ($result instanceof JWTAuthenticationSuccessResponse) {
            // Here I want to return the response of 'users/me'
            // And add the token info by `$result->getContent()` to response header
            // How to do it?
        }
        $response->setData($errorData);
        return $response;
    }

    protected function setRefreshTokenFromRequestHeaders(JsonEncoder $jsonEncoder)
    {
        if ($this->request->headers->has('Refresh-Token')) {
            $RefreshToken = $this->request->headers->get('Refresh-Token');
            if (false !== strpos($this->request->getContentType(), 'json')) {
                $params = !empty($content) ? $jsonEncoder->decode($content,'json') : array();
                $params['refresh_token'] = isset($params['refresh_token']) ? trim($params['refresh_token']) : $RefreshToken;
                $this->request->initialize(
                    $this->request->query->all(),
                    $this->request->request->all(),
                    $this->request->attributes->all(),
                    $this->request->cookies->all(),
                    $this->request->files->all(),
                    $this->request->server->all(),
                    $jsonEncoder->encode($params,'json')
                );
            } else {
                $this->request->attributes->set('refresh_token', $RefreshToken);
            }
        }
    }

How to do it?please Help me,thx!

Is it possible to use a chained user provider? E.g. A couple of default users in memory and some from FosUserBundle ?

Not a huge deal as I can just load those in as fixtures, but I was just curious because the user provider needs to be defined as a service ID it seems.

Hi,

After installing and configuring JWTRefreshTokenBundle successfully, I have this error when I try to do the curl request:

curl -X POST -d refresh_token="xxxx4b54b0076d2fcc5a51a6e60c0fb83b0bc90b47e2c886accb70850795fb311973c9d101fa0111f12eec739db063ec09d7dd79331e3148f5fc6e9cb362xxxx" 'http://xxxx/token/refresh'

The error:

Neither the property "email" nor one of the methods "getEmail()", "email()", "ismail()", "hasEmail()", "__get()" exist and have public access in class "Symfony\\Component\\Security\\Core\\User\\User"

I used FOSUserBundle with LexikJWTAuthenticationBundle. Maybe I have to configure the user provider of this bundle but I didn't find the configuration.

My config:

# app/config/security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512
        Symfony\Component\Security\Core\User\User:
            algorithm: bcrypt
            cost: 12

    ...

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        in_memory:
            memory:
                users:
                    xxxx: { password: xxxx, roles: 'ROLE_ADMIN' }

    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        default:
            pattern: ^/api/doc
            provider: in_memory
            anonymous: ~
            http_basic:
                realm: "xxxxx"
                provider: in_memory

        authenticate:
            pattern:  ^/v1/authenticate
            stateless: true
            anonymous: true
            form_login:
                check_path:               /v1/authenticate
                success_handler:          lexik_jwt_authentication.handler.authentication_success
                failure_handler:          lexik_jwt_authentication.handler.authentication_failure
                require_previous_session: false

        refresh:
            pattern:  ^/v1/token/refresh
            stateless: true
            anonymous: true

        api:
            pattern:   ^/v1
            provider: fos_userbundle
            stateless: true
            anonymous: true
            lexik_jwt: ~

    access_control:
        - { path: ^/api/doc, roles: ROLE_ADMIN }
        - { path: ^v1/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }

# app/config/routing.yml

NelmioApiDocBundle:
    resource: "@NelmioApiDocBundle/Resources/config/routing.yml"
    prefix:   /api/doc

fos_user:
    resource: "@FOSUserBundle/Resources/config/routing/all.xml"

api_login_check:
    path: /v1/authenticate

gesdinet_jwt_refresh_token:
    path:     /v1/token/refresh
    defaults: { _controller: gesdinet.jwtrefreshtoken:refresh }

home:
    prefix:   /
    resource: AppBundle\Controller\HomeController
...

See https://github.com/markitosgv/JWTRefreshTokenBundle/pull/347/files/dd75327f8d93d178fa32cbaac929c90a84548ab0#r1037883273 for context

The 2.0 proposal includes changing how the logout listener that handles token and cookie invalidation is configured. In the 2.0 branch, the listener is configured based on the authenticator configuration instead of the global bundle configuration, which allows improving multi-firewall compatibility by configuring the listener differently for each firewall. This provides a compatibility layer to start moving that config in a future 1.x release.

Note that there are a couple of functional B/C breaks here:

• The LogoutEventListener is turned into an abstract service definition that is used to configure concrete services, this impacts folks who might be using compiler passes in their own application to tweak this service
• Changes the logout_firewall config node to default to null instead of "api", this is both a bug fix and a B/C break in that with the default config as it was previously you couldn't really turn off the listener without a compiler pass

This also adds tests for the LogoutEventListener class, previously untested.

As noted in https://github.com/php/php-src/issues/9950 there is a behavioral change in PHP 8.2 if you make a call like $dateTime->modify('+-300 seconds') as a result of another bug fix in the date/time handling libraries. As the bundle does not enforce TTLs to be a positive number (and the functional tests abuse this a bit), this is a practical fix to ensure anything passing a negative TTL value doesn't catastrophically break.

See #343 for details

I'm leaving it as split-up commits to make it a little easier to see how everything evolved.

If accepted as is, what I'd personally do is this:

• Merge these PRs:
  • [ ] #328
  • [ ] #344
  • [x] #348
  • [ ] #349
  • [ ] #350
• Cut a 1.2 release
• Merge this
• Cut a 2.0 beta

I have implemented this bundle but I'm getting a 401 - invalid credential error when I submit the refresh token. I log in and get a token as well as a refresh token at the same time. Directly after that I'm trying to POST with the refresh token to www.mywebsite.com/api/token/refresh.

Here is my security.yaml file :

`security: enable_authenticator_manager: true # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords password_hashers: Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' App\Entity\User: algorithm: auto

# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
    # used to reload user from session & other features (e.g. switch_user)
    app_user_provider:
        entity:
            class: App\Entity\User
            property: username
firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    login:
        pattern: ^/api/login
        stateless: true
        json_login:
            check_path: /api/login
            username_path: username
            password_path: password
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
    api:
        pattern: ^/api
        stateless: true
        entry_point: jwt
        jwt: ~
        refresh_jwt:
            check_path: /api/token/refresh
        logout:
            path: api_token_invalidate
    main:
        lazy: true
        provider: app_user_provider

        # activate different ways to authenticate
        # https://symfony.com/doc/current/security.html#the-firewall

        # https://symfony.com/doc/current/security/impersonating_user.html
        # switch_user: true

# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
    - { path: ^/api/docs, roles: IS_AUTHENTICATED_ANONYMOUSLY } # Allows accessing the Swagger UI
    #- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

- { path: ^/api/users, roles: IS_AUTHENTICATED_FULLY }

    # - { path: ^/admin, roles: ROLE_ADMIN }
    # - { path: ^/profile, roles: ROLE_USER }
    - { path: ^/api/login, roles: PUBLIC_ACCESS }
    #- { path: ^/api,       roles: IS_AUTHENTICATED_FULLY } @TODO à décommenter lors de la MEP
    - { path: ^/api/(login|token/refresh), roles: PUBLIC_ACCESS }

when@test: security: password_hashers: # By default, password hashers are resource intensive and take time. This is # important to generate secure password hashes. In tests however, secure hashes # are not important, waste resources and increase test times. The following # reduces the work factor to the lowest possible values. Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: algorithm: auto cost: 4 # Lowest possible value for bcrypt time_cost: 3 # Lowest possible value for argon memory_cost: 10 # Lowest possible value for argon

`

Does anybody has an idea why I'm getting that response ?

By the way the route to invalidate works perfectly.

Hi everyone,

I have problem with Symfony 6.1.0 and ApiPlatform 3.0.0

After installing bundle via composer all my API routes disappeared (only LexikJWT route added by OpenAPI decorator left)

When I remove bundle from bundles.php all endpoints return

Here is my code:

RefreshToken.php

<?php

declare(strict_types=1);

namespace App\Entity;

use Doctrine\ORM\Mapping as ORM;
use Gesdinet\JWTRefreshTokenBundle\Entity\RefreshToken as BaseRefreshToken;

#[ORM\Entity]
#[ORM\Table('`refresh_tokens`')]
class RefreshToken extends BaseRefreshToken
{
}

security.yaml

security:
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    enable_authenticator_manager: true
    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            stateless: true
            provider: app_user_provider
            entry_point: jwt
            json_login:
                check_path: /authentication_token
                username_path: email
                password_path: password
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            jwt: ~
            refresh_jwt:
                check_path: /token/refresh
                provider: app_user_provider

    access_control:
        - { path: ^/authentication_token, roles: PUBLIC_ACCESS }
        - { path: ^/token/refresh, roles: PUBLIC_ACCESS }
        - { path: ^/api$, roles: PUBLIC_ACCESS }
#        - { path: ^/, roles: IS_AUTHENTICATED_FULLY }

Anyone have any solution?