-
-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid setting exp claim from JWTManager #249
Avoid setting exp claim from JWTManager #249
Conversation
The lexik-jose-bridge bundle marks the It does not include it as it seems that it is already set in the payload by the JWTManager service. |
Is the change itself fine to you? |
Yes it is. The payload sent by the JWTManager should contain only the claims related to the user authentication. |
cc329c2
to
0d503a6
Compare
Update CHANGELOG/UPGRADE
0d503a6
to
d50d1cc
Compare
@@ -42,6 +42,12 @@ public function getConfigTreeBuilder() | |||
->end() | |||
->scalarNode('token_ttl') | |||
->defaultValue(3600) | |||
->validate() | |||
->ifTrue(function ($ttl) { | |||
return !is_numeric($ttl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should allow null
values here as per #117
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also why not simply make it an integerNode
as I suspect that floats do not really make sense here ..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this check has been moved at runtime in order to allow use of %env()%
parameters in #325. The point of using is_numeric()
is to support env vars too.
About allowing null, this has been changed accidentally and rediscussed in #250, having tokens with an infinite lifetime is not something we want to support regarding security
@@ -15,7 +17,7 @@ For a diff between two versions https://github.com/lexik/LexikJWTAuthenticationB | |||
|
|||
* feature [\#218](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/218) Add more flexibility in token extractors configuration ([chalasr](https://github.com/chalasr)) | |||
|
|||
* feature [\#217](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/217) Refactor TokenExtractors loading for easy overriding ([chalasr](https://github.com/chalasr)) | |||
* feature [\#217](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/217) Refactor TokenExtractors loadi ng for easy overriding ([chalasr](https://github.com/chalasr)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reverted in #750
The encoder should be responsible of setting the
exp
claim and all other standard ones. @Spomky this might have an impact on thelexik_jose_bridge
, excepted if you set this claim from the encoder anyway.ttl
in*JWSProvider
rather thanJWTManager