-
-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to change a token to be invalid status? #643
Comments
You need to store the invalid tokens somewhere and then check if the token does not exist in the stored database (I would recommend Redis for such tasks). When you encounter such invalidated token, you can use the |
@RikudouSage If store the token to redis or database will make the jwt like session.so ,I may be found a better solution for it.I check if it in public function onJWTDecoded(JWTDecodedEvent $event)
{
if($this->request->get('_route') !== 'api_users_logout_collection'){
return;
}
if($this->tokenFactory->clearToken($event)){
$response = new JsonResponse(['message' => 'Logout successfully.']);
$response->headers->set('Access-Control-Allow-Origin', '*');
$response->prepare($this->request);
$response->send();
}
} public function clearToken(JWTDecodedEvent $event)
{
$result = false;
$refreshQueryParams = [];
$payload = $event->getPayload();
if ($payload && isset($payload['username'])){
$event->markAsInvalid();
$refreshQueryParams['username'] = $payload['username'];
$result = true;
}
$refreshToken = $this->getRefreshToken();
if($refreshToken){
$repo = $this->doctrine->getRepository(RefreshTokenEntity::class);
$refreshQueryParams['refreshToken'] = $refreshToken;
$RTObject = $repo->findOneBy($refreshQueryParams);
if ($RTObject){
$em = $this->doctrine->getManager();
$em->remove($RTObject);
$em->flush();
}
}
return $result;
} |
@lichnow The In your code nothing happens. The token you "invalidated" can be used again with no problem. To actually invalidate it, you need to store the invalidated tokens somewhere then in an event listener check if the token you received is invalidated (e.g. is stored in database) and then use the As I said, Redis is great for stuff like this for two reasons (and probably some others):
|
@RikudouSage public function invalidToken(array $payload)
{
if (!isset($payload['exp'])) return;
if (($token = $this->getToken()) !== null && !$this->isInvalidToken()){
$key = "token_blacklist.{$token}";
$this->redis->set($key,$token);
$this->redis->expireat($key,$payload['exp']);
}
}
public function isInvalidToken()
{
if (null === ($token = $this->getToken())) return false;
$allInvalids = $this->redis->keys('token_blacklist.*');
$this->redis->set("token_blacklist.ddd",'fff');
if (!count($allInvalids)) return false;
$key = "token_blacklist.{$token}";
return in_array($key,$allInvalids) && $this->redis->get($key) === $token;
}
protected function getToken()
{
if(false === ($jsonWebToken = $this->tokenExtractor->extract($this->request))) return null;
return $jsonWebToken;
} public function onJWTDecoded(JWTDecodedEvent $event)
{
$payload = $event->getPayload();
if (!$payload) return;
if ($this->tokenFactory->isInvalidToken()) {
$event->markAsInvalid();
return;
}
if ($this->request->get('_route') === 'api_users_logout_collection'){
$this->tokenFactory->invalidToken($payload);
$this->tokenFactory->clearRefreshToken($payload);
$this->responseLogout();
return;
}
return;
} This code is work fine.Thank you again for your answer. |
Closing as solved, thanks for the help @RikudouSage |
If I logout or after the password changed,I should let the token to be invalid status.Have any method like which in
onJWTDecoded
event's$event->markAsInvalid()
method to be use in controller or any other service?The text was updated successfully, but these errors were encountered: