JWT / LARAVEL令牌已过期

时间:2019-02-11 09:18:32

标签: php laravel laravel-5 jwt laravel-5.6

我开发了一个API,但是令牌过期有问题,我尝试找到刷新API发送的令牌的方法,但没有发现任何问题 这是我的用户mdoal:

<?php

namespace App;


use Tymon\JWTAuth\Contracts\JWTSubject;
use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;
class User extends Authenticatable implements JWTSubject
{
    use Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'name', 'email', 'password','username','lastname','tel','tel',
    ];

    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'password', 'remember_token',
    ];
    public function getJWTIdentifier()
    {
        return $this->getKey();
    }

    /**
     * Return a key value array, containing any custom claims to be added to the JWT.
     *
     * @return array
     */
    public function getJWTCustomClaims()
    {
        return [];
    }
}

这是我的loginController

<?php

namespace App\Http\Controllers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use App\Http\Controllers\Controller;
use App\User;
use JWTFactory;
use JWTAuth;
use Validator;


class APILoginController extends Controller
{
    //


    public function login( Request $request){
        $validator = Validator::make($request -> all(),[
         'email' => 'required|string|email|max:255',
         'password'=> 'required'
        ]);

        if ($validator -> fails()) {
            # code...
            return response()->json($validator->errors());

        }


        $credentials = $request->all('email','password');
        try{
            if (! $token = JWTAuth::attempt( $credentials) ) {
                # code...
                return response()->json( ['error'=> 'invalid username and password'],401);
            }
        }catch(JWTException $e){

          return response()->json( ['error'=> 'could not create token'],500);
        }

        $currentUser = Auth::user();

        return response()->json( ['user'=> $currentUser,'token'=>compact('token')],200);
        ///return response()->json( compact('token'));

    }

}

我在github中找到了创建自定义中间件的解决方案,当令牌过期时,刷新的令牌将添加到响应头中。该应用仅需要搜索响应中是否包含此信息,如果是,则更新保存的令牌。

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class RedirectIfAuthenticated
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @param  string|null  $guard
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        try
        {
            if (! $user = JWTAuth::parseToken()->authenticate() )
            {
                return response()->json([
                    'code'   => 101, // means auth error in the api,
                   'response' => null // nothing to show
                 ]);
            }
        }
        catch (TokenExpiredException $e)
        {
            // If the token is expired, then it will be refreshed and added to the headers
            try
            {
                $refreshed = JWTAuth::refresh(JWTAuth::getToken());
                $user = JWTAuth::setToken($refreshed)->toUser();
                header('Authorization: Bearer ' . $refreshed);
            }
            catch (JWTException $e)
            {
                return response()->json([
                    'code'   => 103, // means not refreshable
                   'response' => null // nothing to show
                 ]);
            }
        }
        catch (JWTException $e)
        {
            return response()->json([
                'code'   => 101 ,//, means auth error in the api,
                   'response' => null // nothing to show
            ]);
        }

        // Login the user instance for global usage
        Auth::login($user, false);

        return  $next($request);
    }
}

1 个答案:

答案 0 :(得分:2)

因此,您使用普通的PHP方法在Laravel中间件中设置标头,将无法正常工作。

您应该检查以下内容: https://github.com/tymondesigns/jwt-auth/blob/develop/src/Http/Middleware/BaseMiddleware.php

https://github.com/tymondesigns/jwt-auth/blob/develop/src/Http/Middleware/RefreshToken.php

基本上,更改:

header('Authorization: Bearer ' . $refreshed);

$response = $next($request);
$response->headers->set('Authorization', 'Bearer '.$token);

以下是问题,此方法无法按预期工作,因为这种“ AfterMiddleware”是在请求通过您的应用程序后执行的。所以:

  1. 用户使用过期的令牌发出请求
  2. 由于TokenExpired,应用将返回403或401(不记得了)。
  3. 不过,响应中将包含带有新令牌的标头
  4. 您使用新令牌发出相同的请求,它应该可以正常工作。