Documentation for 1.* here
For version 0.5.* See the WIKI for documentation.
If you want to easily add secure authentication to Laravel apps, feel free to check out Auth0's SDK and free plan at auth0.com/developers
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT)
I use refresh token middleware
Route::group(['prefix' => env('API_VERSION', 'dev'),'middleware' => ['jwt.refresh','jwt.auth','user.lastseen']], function()
I always get token invalid message (token_invalid)?
thanks:D
Hi all,
I came upon one issue when I try to run php artisan jwt:generate I get the Reflection Exception saying "[ReflectionException] Method Tymon\JWTAuth\Commands\JWTGenerateCommand::handle() does not exist"
Both Facades and service providers are entered properly and they are valid.
Also for people who have a struggle to make it work I can advise one solution. Go to JWTGenerateCommand.php file located in vendor/tymon/src/Commands and paste this part of code public function handle() { $this->fire(); }
I know this is not an elegant solution, but it works. I hope this might help until official fix arrive.
Have a nice day.
Since Lumen does not support session state, incoming requests that we wish to authenticate must be authenticated via a stateless mechanism such as API tokens. This package is really going to be helpful for resolving out the authenticated user from the request through API token. https://lumen.laravel.com/docs/5.2/authentication
Auth::viaRequest('api', function ($request) {
try {
if (! $user = JWTAuth::parseToken()->authenticate()) {
return null;
}
} catch (Exception $e) {
return null;
}
return $user;
});
It would be really helpful if we have another section in the wiki about integrating this package with Lumen. I see that most of the work has already been done ( already there is a LumenServiceProvider ), only that it needs to be upgraded to support v5.2 and documented. Thank you Symon for giving us this wonderful package that we can use with out Laravel and Lumen projects.
Hello.
I've added the following header to all of my requests in Angular:
Authorization: Bearer eyJhbGciOiJI...
and I can see that it's working. On the Laravel side I'm using:
public function __construct()
{
$this->middleware('jwt.auth');
}
No matter what I do I'm getting 400 bad request, token_not_provided. Any idea what might be going on?
Thank you for your work on this package. Matt
The docs indicate it is possible to create your own implementation of Illuminate\Contracts\Auth\Guard and registering it as a driver in a service provider.
I was reading about the new stateless token authentication that was added in 5.2 in a JacobBennett Gist (the docs are really vague), but it doesn't appear to be the same as JWT tokens. That said it would be amazing to be able to leverage Laravel's API the same way.
Would it be possible to create a custom driver to reduce the amount of changes required to implement JWT tokens, and reduce the API a bit so using more of Laravel's API? For example getting a user is Auth::guard('api')->user(); using the API guard, and the equivalent could be Auth::guard('jwt')->user();
Hi
Is there any documentation on how to refresh token after it gets expired ?
Also there is conflict if you use both refresh and blacklist for all protected routes.
Describe your issue here.
| Q | A | ----------------- | --- | Bug? | no | New Feature? | no | Framework | Laravel | Framework version | 5.7 | Package version | 11.0.0-rc.3 | PHP version | 7.x.y
Tell us how to reproduce this issue. After Pushing code to live server and generating jwt key and clearing config cache. I get Argument 3 passed to Lcobucci\JWT\Signer\Hmac::doVerify() must be an instance of Lcobucci\JWT\Signer\Key, null given, error
Tell us what should happen
Tell us what happens instead
Where's the current guide to setting up a recent version of jwt-auth (I'm trying to use 1.0.0-beta.3) with a recent version of Lumen (5.4)?
I've looked through various threads in the issue tracker (such as https://github.com/tymondesigns/jwt-auth/issues/376) and it's really not clear what the best practice is.
"lcobucci/jwt": "3.4.0"
https://github.com/lcobucci/jwt/releases/tag/3.4.0
⚠ This version also triggers E_USER_DEPRECATED errors in scenarios where we can't simply use @deprecated. Please make sure you follow the provided instructions before upgrading your production code.
| Q | A | ----------------- | --- | Bug? | yes | New Feature? | no | Framework | Laravel | Framework version | 8.x.y | Package version | 1.x.y | PHP version | 7.x.y
I install a fresh Laravel 6 project. but when I install tymondesigns/jwt-auth package
composer require tymon/jwt-auth
or
composer require tymon/jwt-auth:dev-develop
but it shows an error
Problem 1
- Installation request for tymon/jwt-auth dev-develop -> satisfiable by tymon/jwt-auth[dev-develop].
- Conclusion: remove laravel/framework v6.0.0
- Conclusion: don't install laravel/framework v6.0.0
- tymon/jwt-auth dev-develop requires illuminate/http ^5.1 -> satisfiable by illuminate/http[5.1.x-dev, 5.2.x-dev, 5.3.x-dev, 5.4.x-dev, 5.5.x-dev, 5.6.x-dev, 5.7.17, 5.7.18,5.7.19, 5.7.x-dev, 5.8.x-dev, v5.1.1, v5.1.13, v5.1.16, v5.1.2, v5.1.20, v5.1.22, v5.1.25, v5.1.28, v5.1.30, v5.1.31, v5.1.41, v5.1.6, v5.1.8, v5.2.0, v5.2.19, v5.2.21, v5.2.24, v5.2.25, v5.2.26, v5.2.27, v5.2.28, v5.2.31, v5.2.32, v5.2.37, v5.2.43, v5.2.45, v5.2.6, v5.2.7, v5.3.0, v5.3.16, v5.3.23, v5.3.4, v5.4.0, v5.4.13, v5.4.17, v5.4.19, v5.4.27, v5.4.36, v5.4.9, v5.5.0, v5.5.16, v5.5.17, v5.5.2, v5.5.28, v5.5.33, v5.5.34, v5.5.35, v5.5.36, v5.5.37, v5.5.39, v5.5.40, v5.5.41, v5.5.43, v5.5.44, v5.6.0, v5.6.1, v5.6.10, v5.6.11,v5.6.12, v5.6.13, v5.6.14, v5.6.15, v5.6.16, v5.6.17, v5.6.19, v5.6.2, v5.6.20, v5.6.21, v5.6.22, v5.6.23, v5.6.24, v5.6.25, v5.6.26, v5.6.27, v5.6.28, v5.6.29, v5.6.3, v5.6.30, v5.6.31, v5.6.32, v5.6.33, v5.6.34, v5.6.35, v5.6.36, v5.6.37, v5.6.38, v5.6.39, v5.6.4, v5.6.5, v5.6.6, v5.6.7, v5.6.8, v5.6.9, v5.7.0, v5.7.1, v5.7.10, v5.7.11, v5.7.15, v5.7.2,v5.7.20, v5.7.21, v5.7.22, v5.7.23, v5.7.26, v5.7.27, v5.7.28, v5.7.3, v5.7.4, v5.7.5, v5.7.6, v5.7.7, v5.7.8, v5.7.9, v5.8.0, v5.8.11, v5.8.12, v5.8.14, v5.8.15, v5.8.17, v5.8.18, v5.8.19, v5.8.2, v5.8.20, v5.8.22, v5.8.24, v5.8.27, v5.8.28, v5.8.29, v5.8.3, v5.8.30, v5.8.31, v5.8.32, v5.8.33, v5.8.34, v5.8.35, v5.8.4, v5.8.8, v5.8.9].
- don't install illuminate/http 5.1.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.2.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.3.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.4.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.5.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.6.x-dev|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.7.17|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.7.18|don't install laravel/framework v6.0.0
- don't install illuminate/http 5.7.19|don't install laravel/framework v6.0.0
........................
how to resolve this?
Really, need a proper walk-through of installation
| Q | A | ----------------- | --- | Bug? | no / yes | New Feature? | no / yes | Framework | Laravel | Framework version | 5.7 | Package version | 1.0.0-rc.3 | PHP version | 7.1
Had to follow 3 different bug reports to get things working.
I should be able to follow one single version of the truth for the combination I am installing it for.
Had to fiddle around with things for 2 hours to get them to work... 👎
There is a critical vulnerability issue in this package that is used in your package and it needs upgrade
| Framework | Lumen | Framework version | 8 | Package version | 3.4.0 | PHP version | 7.4
I'm using JWT in Laravel 7 It's config file is
<?php
/*
* This file is part of jwt-auth.
*
* (c) Sean Tymon <[email protected]>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
return [
/*
|--------------------------------------------------------------------------
| JWT Authentication Secret
|--------------------------------------------------------------------------
|
| Don't forget to set this in your .env file, as it will be used to sign
| your tokens. A helper command is provided for this:
| `php artisan jwt:secret`
|
| Note: This will be used for Symmetric algorithms only (HMAC),
| since RSA and ECDSA use a private/public key combo (See below).
|
*/
'secret' => env('JWT_SECRET'),
/*
|--------------------------------------------------------------------------
| JWT Authentication Keys
|--------------------------------------------------------------------------
|
| The algorithm you are using, will determine whether your tokens are
| signed with a random string (defined in `JWT_SECRET`) or using the
| following public & private keys.
|
| Symmetric Algorithms:
| HS256, HS384 & HS512 will use `JWT_SECRET`.
|
| Asymmetric Algorithms:
| RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below.
|
*/
'keys' => [
/*
|--------------------------------------------------------------------------
| Public Key
|--------------------------------------------------------------------------
|
| A path or resource to your public key.
|
| E.g. 'file://path/to/public/key'
|
*/
'public' => env('JWT_PUBLIC_KEY'),
/*
|--------------------------------------------------------------------------
| Private Key
|--------------------------------------------------------------------------
|
| A path or resource to your private key.
|
| E.g. 'file://path/to/private/key'
|
*/
'private' => env('JWT_PRIVATE_KEY'),
/*
|--------------------------------------------------------------------------
| Passphrase
|--------------------------------------------------------------------------
|
| The passphrase for your private key. Can be null if none set.
|
*/
'passphrase' => env('JWT_PASSPHRASE'),
],
/*
|--------------------------------------------------------------------------
| JWT time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token will be valid for.
| Defaults to 1 hour.
|
| You can also set this to null, to yield a never expiring token.
| Some people may want this behaviour for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
| Notice: If you set this to null you should remove 'exp' element from 'required_claims' list.
|
*/
//'ttl' => env('JWT_TTL',1440),
'ttl' => env('JWT_TTL',5),
//'ttl' => null,
/*
|--------------------------------------------------------------------------
| Refresh time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token can be refreshed
| within. I.E. The user can refresh their token within a 2 week window of
| the original token being created until they must re-authenticate.
| Defaults to 2 weeks.
|
| You can also set this to null, to yield an infinite refresh time.
| Some may want this instead of never expiring tokens for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),
//'refresh_ttl' => null,
/*
|--------------------------------------------------------------------------
| JWT hashing algorithm
|--------------------------------------------------------------------------
|
| Specify the hashing algorithm that will be used to sign the token.
|
| See here: https://github.com/namshi/jose/tree/master/src/Namshi/JOSE/Signer/OpenSSL
| for possible values.
|
*/
'algo' => env('JWT_ALGO', 'HS256'),
/*
|--------------------------------------------------------------------------
| Required Claims
|--------------------------------------------------------------------------
|
| Specify the required claims that must exist in any token.
| A TokenInvalidException will be thrown if any of these claims are not
| present in the payload.
|
*/
'required_claims' => [
'iss',
'iat',
'exp',
'nbf',
'sub',
'jti',
],
/*
|--------------------------------------------------------------------------
| Persistent Claims
|--------------------------------------------------------------------------
|
| Specify the claim keys to be persisted when refreshing a token.
| `sub` and `iat` will automatically be persisted, in
| addition to the these claims.
|
| Note: If a claim does not exist then it will be ignored.
|
*/
'persistent_claims' => [
// 'foo',
// 'bar',
],
/*
|--------------------------------------------------------------------------
| Lock Subject
|--------------------------------------------------------------------------
|
| This will determine whether a `prv` claim is automatically added to
| the token. The purpose of this is to ensure that if you have multiple
| authentication models e.g. `App\User` & `App\OtherPerson`, then we
| should prevent one authentication request from impersonating another,
| if 2 tokens happen to have the same id across the 2 different models.
|
| Under specific circumstances, you may want to disable this behaviour
| e.g. if you only have one authentication model, then you would save
| a little on token size.
|
*/
'lock_subject' => true,
/*
|--------------------------------------------------------------------------
| Leeway
|--------------------------------------------------------------------------
|
| This property gives the jwt timestamp claims some "leeway".
| Meaning that if you have any unavoidable slight clock skew on
| any of your servers then this will afford you some level of cushioning.
|
| This applies to the claims `iat`, `nbf` and `exp`.
|
| Specify in seconds - only if you know you need it.
|
*/
'leeway' => env('JWT_LEEWAY', 0),
/*
|--------------------------------------------------------------------------
| Blacklist Enabled
|--------------------------------------------------------------------------
|
| In order to invalidate tokens, you must have the blacklist enabled.
| If you do not want or need this functionality, then set this to false.
|
*/
'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
/*
| -------------------------------------------------------------------------
| Blacklist Grace Period
| -------------------------------------------------------------------------
|
| When multiple concurrent requests are made with the same JWT,
| it is possible that some of them fail, due to token regeneration
| on every request.
|
| Set grace period in seconds to prevent parallel request failure.
|
*/
'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0),
/*
|--------------------------------------------------------------------------
| Cookies encryption
|--------------------------------------------------------------------------
|
| By default Laravel encrypt cookies for security reason.
| If you decide to not decrypt cookies, you will have to configure Laravel
| to not encrypt your cookie token by adding its name into the $except
| array available in the middleware "EncryptCookies" provided by Laravel.
| see https://laravel.com/docs/master/responses#cookies-and-encryption
| for details.
|
| Set it to true if you want to decrypt cookies.
|
*/
'decrypt_cookies' => false,
/*
|--------------------------------------------------------------------------
| Providers
|--------------------------------------------------------------------------
|
| Specify the various providers used throughout the package.
|
*/
'providers' => [
/*
|--------------------------------------------------------------------------
| JWT Provider
|--------------------------------------------------------------------------
|
| Specify the provider that is used to create and decode the tokens.
|
*/
'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class,
/*
|--------------------------------------------------------------------------
| Authentication Provider
|--------------------------------------------------------------------------
|
| Specify the provider that is used to authenticate users.
|
*/
'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class,
/*
|--------------------------------------------------------------------------
| Storage Provider
|--------------------------------------------------------------------------
|
| Specify the provider that is used to store tokens in the blacklist.
|
*/
'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class,
],
];
Created middleware :
class JwtMiddleware extends BaseMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
try {
$user = JWTAuth::parseToken()->authenticate();
} catch (Exception $e) { //ddh($e);
if ($e instanceof \Tymon\JWTAuth\Exceptions\TokenInvalidException){
return response()->json(['error' => 'Token is Invalid'],401);
}else if ($e instanceof \Tymon\JWTAuth\Exceptions\TokenExpiredException){
try
{
$refreshed = JWTAuth::refresh(JWTAuth::getToken());
$user = JWTAuth::setToken($refreshed)->toUser();
$request->headers->set('Authorization','Bearer '.$refreshed);
}catch (JWTException $e){
return response()->json(['error' => 'Token is Invalid'],401);
}
}
else if($e instanceof \Tymon\JWTAuth\Exceptions\TokenBlacklistedException)
{
return response()->json(['error' => 'Token is Invalid'],401);
}
else if($e instanceof \Tymon\JWTAuth\Exceptions\TokenInvalidException)
{
return response()->json(['error' => 'Token is Invalid'],401);
}
else if($e instanceof \Tymon\JWTAuth\Exceptions\JWTException)
{
return response()->json(['error' => 'Token is Invalid'],401);
}
else{
return response()->json(['error' => 'Authorization Token not found'],401);
}
}
return $next($request);
}
In my case if i set 'ttl' => env('JWT_TTL',5), to 5 then my token is blacklisted and i'm getting
Tymon\JWTAuth\Exceptions\TokenBlacklistedException: The token has been blacklisted in file
and it is not refreshed
Blacklisted token @ line 4 : if Blacklisted token @ line 6 : if
Style checker detected errors
this is my code i dont understand what is wrong
k, n = map(int, input().split()) f1 = n // k f2 = 0 if f1 == (n / k): f2 = k if f1 != (n / k): f1 = n // k + 1 f2 = n - k * (f1 - 1) print(f1, f2)
I'm trying to create a custom token using Tymon-JWT with a different algorithm than the one defined in the config file (jwt.php).
public function generateCustomToken($data) {
$claims = [...] // standard claims in a JWT token
// set the algorithm
JWTAuth::getJWTProvider()->setAlgo('RS256');
// custom signer as well
JWTAuth::getJWTProvider()->setSecret($data["signer"]);
// if I log it here the correct algorithm is displayed
Log::info(JWTAuth::getJWTProvider()->getAlgo()); == 'RS256'
$claims = new Collection($requiredClaims);
$payload = new Payload($claims, new PayloadValidator());
$tkn = JWTAuth::encode($payload);
return $tkn->get();
}
So I change the algorithm and log it and it shows my value but when I decode the token the header "alg" displays the algorithm set in the config file.
Does this mean that it is not using RS256 to encode the token? How do I go about changing that algo value?
| Q | A | ----------------- | --- | Bug? |yes | New Feature? | no | Framework | Laravel | Framework version | 5.8 | Package version | 1.0.2 | PHP version |7.3.3
Use the code above
setting JWTAuth::getJWTProvider()->setAlgo('RS256'); should also change the header "alg" to reflect the algorithm used
The algorithm set in the config file is displayed as the value rather than the custom one I set at runtime
Hi, We have version 1.0.2 and we have updated to php 8.1 We are getting problems with the Payload::offsetExists($key) method As we have seen in later versions of the library, this error is solved. We would like to know when they will have a definitive version in which the problem is solved.
Greetings and thank you.
nbf claim to be in the future (b860a4ca219d6d76374445cffd9836b1bd1db9a6)jwt:secret command to 64 characters (f72b8eb0deff2c002d40a8b0411a546c28ebec98)JWTProvider (#1505)JWTGuard is now macroable (#1604)JWTAuth also respects the lock_subject config (#1545)
👍 Huge thank you to everyone who contributed to this release!
ℹ️ The next release will be 1.0.0 and I will be stepping up activity on this repo very soon. Thanks for bearing with me 🙏
lock_subject, allowing the removal of the prv claim, if you don't have multiple guards (7c1d58e294b255c4afa31c121b11b947e8699cbe)leeway to help with clock skew (#1453)namshi/jose has been abandoned (#1453)jwt:secret commandauth()->getToken() now returns null instead of false if the token is not present.👍 Huge thank you to everyone who contributed to this release!
Source code(tar.gz)jwt:secret command not returning when it should (5b4785e45671a45fdb23d3b3df5c9c31681d547c)Full docs will be ready for the final 1.0.0 release
👍 Huge thank you to everyone who contributed to this release!
@lucasmichot @cappuc @crynobone @miscbits @MitchellMcKenna @KennedyTedesco @DanielMcAssey @hughsaffar @nachodd
Source code(tar.gz)namshi/jose dependency to fix issues with phpseclibjti claim is now totally random as per the develop branchTagging an alpha version of the next release.
No documentation just yet (soon) so only use if you know what you're doing :smile:
Will populate here with a quick start soon too
Source code(tar.gz)Doh!... I added the incorrect config paths
Source code(tar.gz)Very small patch release...
Some bug fixes brought over from develop branch.
Some people expressed the need for this patch, so just a quick release whilst 0.6 is still cooking.
nbf, exp & iat claims to inttyp back into the JWT headerNothing major here, just ensuring branches and releases are in-sync.
JWTFactory facadeJWTFactory facadenamshi/jose to address this issuenamshi/jose to address this issueLaravel Authentication Log is a package which tracks your user's authentication information such as login/logout time, IP, Browser, Location, etc. as well as sends out notifications via mail, slack, or sms for new devices and failed logins.
Laravel Podcast is Laravel 5.5 web app that enables you to manage RSS feeds for your favorite podcasts and listen to the episodes in a seamless UI and
Laravel-FCM Introduction Laravel-FCM is an easy to use package working with both Laravel and Lumen for sending push notification with Firebase Cloud M
A Laravel Fractal package for building API responses, giving you the power of Fractal with Laravel's elegancy.
Laravel Package Support for Lumen: Makes Lumen compatible with Laravel Packages. You can use any Laravel Packages in Lumen by installing Larasupport Package.
Lumen generators A collection of generators for Lumen and Laravel 5. Contents Why ? Installation Quick Usage Detailed Usage Model Generator Migration
Description This package adds Cross-Origin Resource Sharing (CORS) support to your Laravel application. The package is based on Framework agnostic (PS
Laravel and Lumen Badge Generator That package is a easy wrapper to Badges/Poser. #Installing composer require vluzrmos/laravel-badge-poser Laravel co
This package provides an advanced filter for Laravel or Lumen model based on incoming requets.
Laravel Auto Hard Deleter This package deletes soft deleted rows automatically after a time interval that you define. For Laravel and Lumen 6, 7, 8 In
The service provider is deprecated - it does not support error grouping. Laravel Lumen service provider for Understand.io You may also be interested i
Cascade delete and restore when using the Laravel or Lumen SoftDeletes feature.
Simple Video is a automated H264 encryption system built on Lumen Laravel Framework
Enable/disable query logger in Laravel/Lumen
Teste dos caras lá pay Avisos antes de começar Crie um repositório no seu GitHub sem citar nada relacionado a empresa dos cara lá. (CHECK) Faça seus c
Lumen Boilerplate/Starter App for Stripe payment processing Core Features return all available subscription plans create a subscription check subscrip
Laravel-pinyin Chinese to Pinyin translator for Laravel5 / Lumen based on overtrue/pinyin. Install composer require "overtrue/laravel-pinyin:~4.0" For
coding.events API Uma API feita apenas para passar o tempo, montando uma API para o site <coding.events>. Sinta-se livre para usar esse código como es
Lumen - Slackin A Slack Invitator made with Lumen Framework and inspired by rauchg/slackin. That application uses some of my awesome packages: Badge P
540 Jan 5, 2023
35 Dec 19, 2022
2 Oct 16, 2022
776 Dec 25, 2022
127 Dec 17, 2022
349 Mar 24, 2022
48 Feb 1, 2020
6 Jun 10, 2020
484 Jan 4, 2023
38 Dec 28, 2022
6 May 30, 2019
669 Nov 30, 2022
4 Oct 5, 2022
5 Nov 2, 2022
24 Nov 7, 2022
3 Jan 3, 2022
504 Nov 10, 2022
3 Oct 9, 2022