I'm using JWT-auth (https://github.com/tymondesigns/jwt-auth) for JWT authorization in my Laravel app. I am able to auth a user and return their JWT token, and all works well and good when I make a call to /api/user with an Authorization header such as: Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.eyJp... However I'd like to store this JWT in a cookie and auth the user from the JWT in the cookie. I don't seem able to access any user info, even though I can decode the JWT cookie properly.
My routes looks like:
Route::post('/register', 'AuthController@register');
Route::post('/login', 'AuthController@login');
Route::group(['middleware' => 'jwt.xyz'], function () {
Route::get('/user', 'AuthController@getAuthUser');
});
Auth controller is simply:
public function getAuthUser(Request $request)
{
return response()->json(auth()->user());
}
Kernel.php
protected $routeMiddleware = [
'jwt.xyz' => \App\Http\Middleware\JWTAuthenticate::class,
];
And \App\Http\Middleware\JWTAuthenticate.php:
class JWTAuthenticate extends BaseMiddleware
{
public function handle($request, Closure $next)
{
$cookie = $request->cookie(\Config::get('constants.cookieName'));
$token = new Token($cookie);
$payload = JWTAuth::decode($token);
\Log::debug($payload['sub']); // correct user ID from DB
\Auth::loginUsingId($payload['sub']);
return $next($request);
}
}
That errors with "message": "Method [loginUsingId] does not exist." I am curious how to auth the user so I can do something like Debug::info(auth()->user()) in the controller for the proper user?
Additionally - I thought all cookies sent to/from the browser were encrypted, as the actual cookie seems to be the same plain text representation of the JWT.
@aschorr You cannot use loginUsingId on a stateless request. Using JWTAuth, you can check in their documentation how to retrieve the user from the token instead:
https://github.com/tymondesigns/jwt-auth/wiki/Authentication
at the bottom of this page there is a middleware GetUserFromToken that you can use.
Well yes, but the whole thing is I don't want to get it from the token, I want to get it from the cookie.
@aschorr but you can use that middleware and add the token to the cookie, so then you can retrieve it. How can you get it from a cookie if it is not set at all otherwise?
@aschorr Since it is saying loginUsingId does not exist, I'm wondering if the auth() helper would make any difference here...
Try this...
auth()->loginUsingId($payload['sub']);
Or reference the full auth facade at the top of your file...
use Illuminate\Support\Facades\Auth;
Or just...
\Illuminate\Support\Facades\Auth::loginUsingId($payload['sub']);
Hmm, I'm not sure what you mean.
but you can use that middleware and add the token to the cookie
I actually have the token already in the cookie. My JWT is being saved in the cookie property. The issue is that the API auth guards expect the token in the header, NOT in the cookie, where I already have it. The problem is I'm trying to use API middleware guards with traditional web cookies.
I think I found a decent workaround where in a middleware I read the cookie, and simply put it into the header:
if ($request->cookie('cookie_name')) {
$request->headers->set('Authorization', 'Bearer ' . $request->cookie('cookie_name'));
}
But still susceptible to CSRF vulnerabilities.
@aschorr I meant to add it to the cookie if that's where you need it, but you already have it there. So my main point is you cannot use the default Auth guard by laravel and authenticate the user based on a cookie. You can however create a custom guard and implement your own authentication based on the cookie.
Please or to participate in this conversation.