Laravel Tymon \\ JWT Auth:在身份验证之前检查未完成的有效令牌?
[英]Laravel Tymon\JWT Auth: Check for Outstanding Valid Token Before Authentication?
问题描述
I'm trying to implement token-based authentication in Laravel 5.5 using Tymon's JWTAuth. 
我正在尝试使用Tymon的JWTAuth在Laravel 5.5中实现基于令牌的身份验证。 I followed the GitHub Documentation for the library and am using the following authentication flow. 我遵循了该库的GitHub文档 ,并正在使用以下身份验证流程。 Here is the authentication portion of my login route: 这是我的登录路线的身份验证部分:
try {
// attempt to verify the credentials and create a token for the user
if (!$token = JWTAuth::attempt($credentials)) {
return response()->json(['success' => false, 'error' => 'Invalid Credentials. Please make sure you entered the right information and you have verified your email address.'], 401);
}
}
catch (JWTException $e) {
// something went wrong whilst attempting to encode the token
return response()->json(['success' => false, 'error' => 'could_not_create_token'], 500);
}
// all good so return the token
return response()->json(['success' => true, 'data'=> [ 'token' => $token ]]);
And here are the routes: 这是路线:
Route::group([
'middleware' => ['jwt.auth', 'jwt.refresh'],
],
function () {
// Routes requiring authentication
Route::get('/logout', 'Auth\LoginController@logout');
Route::get('/protected', function() {
return 'This is a protected page. You must be logged in to see it.';
});
});
So you can see I am using the jwt.auth and jwt.refresh middlewares. 因此,您可以看到我正在使用jwt.auth和jwt.refresh中间件。 Now, everything is seemingly working as expected and I can authenticate users with tokens. 现在,一切似乎都按预期进行,我可以使用令牌对用户进行身份验证。 Each token has a lifespan of one use and I am provided another valid token after each request (the refresh flow). 每个令牌的使用期限为一次,每次请求(刷新流程)后,我都会获得另一个有效令牌。
However, my problem is that if I have a valid token for a user that has not been used yet, and then I remove it from the header and hit the /login route with valid credentials, I am issued another valid token. 但是,我的问题是,如果我有一个尚未使用的用户有效令牌,然后将其从标题中删除,并使用有效凭据打入/ login路由,则会获得另一个有效令牌。 So now I have two valid tokens that can be used to authenticate a user, as my /login route is not invalidating previously issued tokens. 所以现在我有两个可用于验证用户身份的有效令牌,因为我的/ login路由不会使以前发行的令牌无效。
Does anyone know of a way to check to see if a user has an outstanding valid token, so that it can be invalidated if the user logs in from elsewhere? 有谁知道一种检查用户是否有未完成的有效令牌的方法,以便在用户从其他位置登录时可以使其无效?
1 个解决方案
解决方案1
0 已采纳 2017-10-06 01:51:30
I'll answer my own question after doing some research. 做一些研究后,我会回答我自己的问题。 From my understanding, JWT tokens are valid unless explicitly blacklisted. 据我了解,除非明确将其列入黑名单,否则JWT令牌是有效的。 As long as the server recognizes that it itself created the token, then it can decipher the token using a secret key and assume that it's valid. 只要服务器识别出它自己创建了令牌,就可以使用密钥解密令牌并假定它是有效的。 That's why token lifetimes are so important. 这就是令牌寿命如此重要的原因。 So if you want to invalidate an issued token, you'd either have to wait for expiry or blacklist it. 因此,如果要使已发行的令牌无效,则必须等待到期或将其列入黑名单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.