Find user by a combination of parameters or validate token in a different way (possible security issue) about laravel-jwt HOT 4 CLOSED

Won't Fix

Ok, I've read your issue again, and here is why I've taken the decision to wont-fix the reported problem:

1. The retrieval of a given user is not the scope of this library.

Retrieving users based on their unique identifiers is a scope of Illuminate\Contracts\Auth\UserProvider

If you are using the default UserProvider, that one is Illuminate\Auth\EloquentUserProvider and here is a snippet of the exact method that does that:

    /**
     * Retrieve a user by their unique identifier.
     */
    public function retrieveById($identifier)
    {
        $model = $this->createModel();

        return $model->newQuery()
            ->where($model->getAuthIdentifierName(), $identifier)
            ->first();
    }

As you can notice here, it's a single where condition performed against the User model.

As you can also notice, the database table field is determined by the getAuthIdentifierName() method, which is provided in any model implementing the Illuminate\Contracts\Auth\Authenticatable interface.

So, you have some options here:

1.1. Replace the ID identifier.

Instead of using the id field, you may use the email field, by overriding the getAuthIdentifier() directly on your User model.

1.2. Extend the User Provider.

Following the Laravel documentation, you may be able to register your own resolver. The documentation can be found at this link: authentication#adding-custom-user-providers

2. Application specific design decision.

The decision to distribute the user's information was application based. In most cases I've seen, the user's database is centralized alongside the tenants' table.

It's not fair that I include possible breaking changes into a too specific use case.

By this reason, I'm ruling out this as a security breach on the library, since the use-case is not recommended or common.

Thank you, you may contact me at Telegram if you need help implementing the custom logic. It will be a pleasure to help you out.

For now, I'm closing this issue.

from laravel-jwt.

ping @hernandev

from laravel-jwt.

Makes sense to me, let me check on this right now, and get back here.

from laravel-jwt.

I understand. Will try the options you suggested. Thanks!

from laravel-jwt.