-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix logout/invalidate bug #158
base: main
Are you sure you want to change the base?
Conversation
@@ -108,7 +108,6 @@ public function decode(Token $token, $checkBlacklist = true) | |||
if ( | |||
$checkBlacklist && | |||
$this->blacklistEnabled && | |||
$this->getBlackListExceptionEnabled() && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Messhias After merge the current pull request, you will not need to enable JWT_SHOW_BLACKLIST_EXCEPTION
env key for using invalidate/logout methods .
Just enable JWT_BLACKLIST_ENABLED
key that responsible for catch the blacklisted token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But that's the thing, the config it's for this to be configurable, for my example, I don't want this exception being thrown all the time just because I'm logging out and invalidating the token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Messhias I don't understand why the exception is shown in your logs. If JWT_SHOW_BLACKLIST_EXCEPTION
is set to false, the decode function should always return the payload of the token, even if it's blacklisted. My understanding is that this exception is catched in JWT::check()
to check if your credentials are valid. If JWT::checkOrFail
is used, the exception will not be catched and could be shown in your logs. So probably there is an error in application?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Messhias I don't understand why the exception is shown in your logs. If
JWT_SHOW_BLACKLIST_EXCEPTION
is set to false, the decode function should always return the payload of the token, even if it's blacklisted. My understanding is that this exceptcaughtcatched inJWT::check()
to check if your credentials are valid. IfJWT::checkOrFail
is used, the exception will caughtcatched and could be shown in your logs. So probably there is an erthe ror in application?
No error, it's set to false, if you enter in the forked repository this is a very old issue that was left behind, foreasonreasons sometimes the configuwasn't gotn't get by env file (there wasn't even a test for that).
But if this is giving trouble for aend-usersd users don't worry and let's remove it and I can handle this annoying error by my side without issues.
But anyway the PRneedsll needs changes because it'll be necessary remove the unit tests too otherwise will keep breaking the CI.
What's the decision about this subject? |
Hi! I have the same problems... when will this fix be merged? |
I'm waiting for @eschricker and @mfn decision about this subject, in my decision my vote is Let's wait for the principal maintainers to give their opinion. |
Wouldn't it be easier to set the default value of |
For me sounds good. |
I abstain from specific |
Merely remove public function decode(Token $token, $checkBlacklist = true)
{
$payloadArray = $this->provider->decode($token->get());
$payload = $this->payloadFactory
->setRefreshFlow($this->refreshFlow)
->customClaims($payloadArray)
->make();
if (
$checkBlacklist &&
$this->blacklistEnabled &&
$this->blacklist->has($payload)
) {
// like this
if ($this->getBlackListExceptionEnabled())
throw new TokenBlacklistedException('The token has been blacklisted')
return $something; // return something difference or do something
}
return $payload;
} |
I will create a separate PR which changes the default value. @Messhias it would be great, if you could enable the blacklisting exception and investigate where the exception is thrown. Maybe you call |
|
@eschricker the #180 seems to solve this issue as well, should we close this MR? Or merge it? |
@Messhias As I said, it would great if you would double check your system, why this exception is thrown. If it is a usage error, then we can use the PR to remove the functionality. If the functionality is needed within the library we can close this PR. Therefore I would keep the PR open, til you give feedback about your investigation. |
We can merge it without issues, I can handle it here on my side. |
Before we merge this, I think more things need to be changed: This is the only place where this is used, so we can remove all the code that affects the Show Blacklist Exception function. |
Like unit tests for example? |
Yes, and stuff like the entry in the config file. |
@Gemui can you take a look at this, please? |
If anyone don't take a look on this for us I'll close this PR in my next round. |
Description
Fix logout/invalidate bug #157 - #84
Token has been added to black list but the problem with decode method
It call
getBlackListExceptionEnabled
method that should not be in the first level of blacklist checkAfter remove this method I can now use logout and invalidate successfully.
The correct using of env key
JWT_BLACKLIST_ENABLED
is to save in blacklist, and also check if the coming token is in blacklist or notAlso the description about
JWT_SHOW_BLACKLIST_EXCEPTION
meaning it responsible to put in laravel logs only, not validate blacklist or notSo that Env key should not be in the check of blacklist
Checklist:
CHANGELOG.md