与Laravel JWT-auth的认证注销问题 [英] Logout issue with Laravel JWT-auth authentication
问题描述
我使用智威汤逊-auth的做出一个RESTful权威性资源在我的API 。当客户端应用程序调用的登录资源,案例用户登录,您目前的令牌必须是无效的,因此产生一个新的令牌。
但情况下,当前令牌被列入黑名单一个 TokenBlacklistedException
被抛出。
如何验证,如果令牌被列入黑名单?或如何正确实施用户注销?我尝试在智威汤逊-auth的API源找到,但不存在为gettoken() - GT; isBlacklisted()
或 parseToken() - GT; isBlacklisted ()
或某些验证器来实现它。
自从令牌无效parseToken()抛出TokenBlacklistedException,这样的isBlacklisted方法是验证令牌是有效无效之前令牌的好办法。
信息:
该娄code验证是否有效载荷是无效的,抛出的 TokenBlacklistedException
如果是无效的:
如果(
假=== \\ Tymon \\ JWTAuth \\黑名单::有(
\\ Tymon \\ JWTAuth \\外立面\\ JWTAuth :: getPayload($令牌)
)
){
\\ Tymon \\ JWTAuth \\外立面\\ JWTAuth :: parseToken() - GT;无效();
}
如何验证,如:
如果(假=== \\ Tymon \\ JWTAuth \\外立面\\ JWTAuth :: parseToken() - GT; isBlacklisted()){
// ...无效
}
您可以简单地摧毁,当他们注销,并在后端令牌无效的客户端会话,你不应该需要使用黑名单。
在技术上破坏客户端上的令牌就足够了,但对于会话劫持,在后端无效它是一个好主意了。
如果你无效,你需要你从你的Laravel响应之后摧毁令牌。
JWTAuth ::无效(JWTAuth ::为gettoken())):
然后在角边
函数注销()
{
UserService.logout()。$ promise.then(函数(){
$ cookieStore.remove('userToken');
//重定向或什么
});
}
您可以处理JWT异常的一种方法是设置一个 EventServiceProvider
在laravel,这里是我的样子:
使用照亮\\合同\\活动\\调度程序作为DispatcherContract;
使用照亮\\基金会的\\ Support \\供应商\\ EventServiceProvider为的ServiceProvider;类EventServiceProvider扩展的ServiceProvider { / **
*事件处理程序映射应用程序。
*
* @var阵列
* /
保护$听= [
tymon.jwt.valid'=> [
应用程序\\活动\\ JWTEvents @有效',
]
tymon.jwt.user_not_found'=> [
应用程序\\活动\\ JWTEvents @ NOTFOUND
]
tymon.jwt.invalid'=> [
应用程序\\活动\\ JWTEvents @无效
]
tymon.jwt.expired'=> [
应用程序\\活动\\ JWTEvents @过期
]
tymon.jwt.absent'=> [
应用程序\\活动\\ JWTEvents @缺少
]
]; / **
*注册的其他事件为您的应用。
*
* @参数\\照亮\\合同\\活动\\ $调度事件
* @返回无效
* /
公共职能开机(DispatcherContract $事件)
{
父::启动($事件); //
}
}
您将注册在你app.php。
然后我对每个事件方法实现JWTEvents类。
类JWTEvents扩展事件{ //其他方法 公共职能无效()
{
返回响应() - GT; JSON(['错误'=>'令牌无效'],401);
死();
}
}
要注意重要的是,我们正赶上了智威汤逊的异常并返回一个特定状态code的JSON响应。
在角边,我有我的httpInterceptor类,捕捉这些HTTP状态codeS。
angular.module('ngApp')
.factory('httpInterceptor',函数($ Q $日志$的CookieStore,$ rootScope,响应){
返回{ 要求:功能(配置){
//你在哪里令牌添加到每个请求
}, responseError:功能(响应){ //检查响应code是401(或其他)
如果(response.status === 401){
//做一些事情来记录用户出和放大器;重定向。
$ rootScope $广播('invalid.token')。
}
}
}
});
I'm use jwt-auth to make a RESTful auth resource in my API. When a client app calls the login resource, case user is logged, your current token must be invalidated and so a new token generated.
But case the current token is blacklisted a TokenBlacklistedException
is thrown.
How to verify if a token is blacklisted? Or how to correct implement an user "logout"? I try to found on jwt-auth API source but not exists a getToken()->isBlacklisted()
or parseToken()->isBlacklisted()
or some validator to implement it.
Ever token is invalid parseToken() throws a TokenBlacklistedException, so an isBlacklisted method is a good way to verify if token is valid before invalidate a token.
INFO:
The bellow code verify if payload is invalid, thrown the TokenBlacklistedException
if is invalid:
if(
false === \Tymon\JWTAuth\Blacklist::has(
\Tymon\JWTAuth\Facades\JWTAuth::getPayload($token)
)
) {
\Tymon\JWTAuth\Facades\JWTAuth::parseToken()->invalidate();
}
How to verify like:
if(false ===\Tymon\JWTAuth\Facades\JWTAuth::parseToken()->isBlacklisted()) {
// invalidate...
}
You can simply destroy the session on the client side when they logout and invalidate the token on the backend, you shouldn't need to use the blacklist.
Technically destroying the token on the client side will be enough, but for session hijacking, invalidating it on the backend is a good idea too.
If you are invalidating, you'll need to destroy the token after you get your response from Laravel.
JWTAuth::invalidate(JWTAuth::getToken())):
Then on angular side
function logout()
{
UserService.logout().$promise.then(function() {
$cookieStore.remove('userToken');
// redirect or whatever
});
}
One way you can handle JWT exceptions is to setup an EventServiceProvider
in laravel, here is what mine looks like:
use Illuminate\Contracts\Events\Dispatcher as DispatcherContract;
use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;
class EventServiceProvider extends ServiceProvider {
/**
* The event handler mappings for the application.
*
* @var array
*/
protected $listen = [
'tymon.jwt.valid' => [
'App\Events\JWTEvents@valid',
],
'tymon.jwt.user_not_found' => [
'App\Events\JWTEvents@notFound'
],
'tymon.jwt.invalid' => [
'App\Events\JWTEvents@invalid'
],
'tymon.jwt.expired' => [
'App\Events\JWTEvents@expired'
],
'tymon.jwt.absent' => [
'App\Events\JWTEvents@missing'
]
];
/**
* Register any other events for your application.
*
* @param \Illuminate\Contracts\Events\Dispatcher $events
* @return void
*/
public function boot(DispatcherContract $events)
{
parent::boot($events);
//
}
}
You'll register that in your app.php.
Then I implement the JWTEvents class with methods for each event.
class JWTEvents extends Event {
// Other methods
public function invalid()
{
return response()->json(['error' => 'Token Invalid'], 401);
die();
}
}
Important thing to note is that we are catching the JWT exceptions and returning a json response with a specific status code.
On the angular side, I have in my httpInterceptor class, catches for these http status codes.
angular.module('ngApp')
.factory('httpInterceptor', function($q, $log, $cookieStore, $rootScope, Response) {
return {
request: function(config) {
// Where you add the token to each request
},
responseError: function(response) {
// Check if response code is 401 (or whatever)
if (response.status === 401) {
// Do something to log user out & redirect.
$rootScope.$broadcast('invalid.token');
}
}
}
});
这篇关于与Laravel JWT-auth的认证注销问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!