[Suggestion] Remove token about jwt-auth HOT 22 CLOSED

You can now invalidate tokens via using the invalidate() method. E.g.

JWTAuth::setToken('too.bar.baz')->invalidate();

This will add the token to a laravel cache driven blacklist until it has expired - when it will be purged automatically.

I'm almost done with the new docs writeup.. So watch out for that.

from jwt-auth.

If you're referring to invalidating the token, then this is coming as part of the 0.4 release I am currently working on over on the develop branch.

I intend to provide the ability to refresh expired tokens and invalidate tokens by adding them to a redis driven blacklist.

Thanks!

from jwt-auth.

Great!

from jwt-auth.

Any news on this? How would you do to invalidate tokens right now? Like on a logout, you want to remove the token for example. Are the tokens stored anyway btw?

from jwt-auth.

Oh ok. invalidate doesn't seem to work. Is there a new version? So, the tokens are stored in a laravel cache somehow? I was trying to find out where they are stored but no success so far.

from jwt-auth.

I am referring to versions 0.4 (for laravel 4) and 0.5 (for laravel 5)

Out of the box, the default storage provider for blacklisted tokens uses laravel's cache system - see here.
But any key/value store will do. You can simply point the config option to your new class that implements the StorageInterface

Hope that helps :)

from jwt-auth.

Yes, it does. But this is for blacklisted tokens only, or the tokens in general? That would be great to include it in the documentation.

Also, invalidate is still not working, are you going to release a new version soon, or it is probably me not doing the right thing?

$token = JWTAuth::getToken();
if ($token) {
    JWTAuth::setToken($token)->invalidate();
}

invalidate is not a function.

from jwt-auth.

Tokens are only stored in the blacklist, if they have been previously invalidated. I will try to make that clear in the docs.

Could you confirm what version you are using ?

from jwt-auth.

version: "tymon/jwt-auth": "0.3.*"
But what about the non-blacklisted tokens, the active ones, where do you store them? Sorry if it is a stupid question.

from jwt-auth.

Got it.
Thanks! I was just confused about the fact we don't store the token
anywhere. We just check against the token, and verify the credentials by
decoding the token.
Thanks, will upgrade then.

On Fri, Feb 27, 2015 at 8:23 AM, Sean Tymon [email protected]
wrote:

You will need to upgrade to version 0.4 (for Laravel 4) and 0.5 (for
Laravel 5) as I only introduced the token blacklisting in the these
versions and the invalidate() method indeed does not exist in 0.3.

I will try and illustrate the flow below

• Client sends login credentials to jwt api.
• If credentials are good, then api responds with the jwt (it is not
  stored anywhere, just sent to the client)
• Client then stores the token in localStorage for example, and uses
  this to make authenticated requests

—
Reply to this email directly or view it on GitHub
#18 (comment)
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

from jwt-auth.

You will need to upgrade to version 0.4 (for Laravel 4) and 0.5 (for Laravel 5) as I only introduced the token blacklisting in the these versions and the invalidate() method indeed does not exist in 0.3.

I will try and illustrate the flow here

• Client sends login credentials to jwt api.
• If credentials are good, then api responds with the jwt (it is not stored anywhere, just sent to the client)
• Client then stores the token in localStorage for example, and uses this to make further authenticated requests.
• The api verifies this token and pulls out the user from the subject claim (part of the decoded token) and continues with the request.

from jwt-auth.

Sorry my post got cut off.. accidently hit return on the comment button and had to remove temporarily

from jwt-auth.

Just one more thing, upgrading seems to cause some issues. Do you have an
updated readme for migrating to 0.4?

PHP Fatal error: Class 'Tymon\JWTAuth\JWTAuthServiceProvider' not found in
/home/vagrant/pocketderm.dev/PocketDerm/vendor/laravel/framework/src/Illuminate/Foundation/ProviderRepository.php
on line 157

On Fri, Feb 27, 2015 at 8:28 AM, Sean Tymon [email protected]
wrote:

Sorry my post got cut off.. accidently hit return on the comment button

—
Reply to this email directly or view it on GitHub
#18 (comment)
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

from jwt-auth.

I don't have an upgrade guide at the moment i'm afraid, but don't think there are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following command:

php artisan config:publish tymon/jwt-auth

from jwt-auth.

Thanks! It works.

On Fri, Feb 27, 2015 at 8:58 AM, Sean Tymon [email protected]
wrote:

I don't have an upgrade at the moment i'm afraid, but don't think there
are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following
command:

php artisan config:publish tymon/jwt-auth

—
Reply to this email directly or view it on GitHub
#18 (comment)
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

from jwt-auth.

Hi,

Does this
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
apply for jwt-auth?

Cheers,
Jeremy

On Fri, Feb 27, 2015 at 9:06 AM, Jeremy Dagorn [email protected]
wrote:

Thanks! It works.

On Fri, Feb 27, 2015 at 8:58 AM, Sean Tymon [email protected]
wrote:

I don't have an upgrade at the moment i'm afraid, but don't think there
are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following
command:

php artisan config:publish tymon/jwt-auth

—
Reply to this email directly or view it on GitHub
#18 (comment)
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

from jwt-auth.

Hi Jeremy,

Yea it does (good find), since I am using namshi/jose

I will get a patch release out asap

Thanks

from jwt-auth.

Thanks a lot for answering.!
On Apr 2, 2015 12:57 AM, "Sean Tymon" [email protected] wrote:

Hi Jeremy,

Yea it does, since I am using namshi/jose

I will get a patch release out asap

Thanks

—
Reply to this email directly or view it on GitHub
#18 (comment)
.

from jwt-auth.

When the token is decoded on each request I noticed that the base Auth of Laravel is set with the information so we can keep using Auth::user() etc, but it doesn't appear that Auth::logout() invalidates the token. Would this be a useful feature request that Auth::logout() invalidated the token?

from jwt-auth.

I want to invalidate all the tokens assigned to a particular user on re-login.

How can we do it?

from jwt-auth.

@mtpultz Not a good idea I'm afraid.

Most of laravel's auth system assumes session/cookie based authentication. So it wouldn't work.

@SnehalAmbab there is no concept of tokens assigned to a user; meaning they are not stored anywhere. Hence the term stateless authentication

from jwt-auth.

@tymondesigns how to enable token blacklist?

and I also have other question that how can I refresh token?

from jwt-auth.