Intercept the login_check path from symfony 4.4

Question

I have a REST API made with symfony 4.4 and I am having problems in the authentication process. Everything works fine, but I am experiencing that sometimes the login_check returns 401 Unauthorized with users who days ago could access without problems. I am using LexikJWTAuthenticationBundle

Security:

security:
    role_hierarchy:
        ROLE_ADMIN: ROLE_ADMIN
        ROLE_MANAGER: ROLE_MANAGER
        ROLE_CLIENT: ROLE_CLIENT
        ROLE_HOST: ROLE_HOST

    encoders:
        App\Entity\User:
            algorithm: auto

    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login:
            pattern:  ^/api/login
            stateless: true
            anonymous: true
            json_login:
                check_path:               /api/login_check
                success_handler:          app.jwt_authenticator_success_handler
                failure_handler:          lexik_jwt_authentication.handler.authentication_failure
        api:
            pattern:   ^/api
            anonymous: true
            stateless: true
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator
        main:
            anonymous: ~
            logout:
                path: app_logout
                delete_cookies: ['rhsso']
                success_handler: logout_handler
                # where to redirect after logout
                # target: app_any_route

    access_control:
        - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

I have no idea what is going on. I'm trying to at least log the time where the credentials are verified but I can't find a way to intercept the code for the login_check route. I don't even know where that code is in symfony security. Any help with this? Thanks in advance.

Answer 1

/api/login_check path is probably defined in /config/routes/jwt.yaml or somewere in the config/routes...

bin/console debug:router api_login_check

may or may not shed some light

and if you run

bin/console debug:container lexik_jwt_authentication.jwt_token_authenticator

you should find the class to intercept. Perhaps you could dig into the failure handler to find out why you get a 401. Token expiry sounds possible if its happening from time to time.