Symfony 6和JWT捆绑包:刷新令牌
#安全 #php #symfony #jwt

*封面图像最初是由geralt进行的,并以非常感谢。


概括

您是否对PHPSymfony的JSON Web令牌(JWT)身份验证和授权感兴趣,它是其框架之一?

如果是这样,此帖子可能会有所帮助:

好吧,每个访问令牌的寿命应在实际期限内短暂,以减轻模仿风险。
但是,当访问令牌过期时,我们该怎么办?再次向用户请求身份验证信息?在许多情况下,它必须不便,不是ð

那是刷新令牌介入的地方。
这篇文章展示了如何与JWTRefreshTokenBundle进行对称。
我们去。

环境


教程

概述

请记住,您需要安装LexikjwtauthenticationBundle并事先配置您的应用程序。

这里的步骤如下:

  1. 安装捆绑包
  2. PHP 8特定操作(当前)
  3. 更新数据库
  4. 配置
  5. Testing

1.安装捆绑包

JWTRefreshTokenBundle几乎与composer一起掌握在您手中。运行:

$ composer require gesdinet/jwt-refresh-token-bundle

输出以:
开始

Info from https://repo.packagist.org: #StandWithUkraine
Using version ^1.1 for gesdinet/jwt-refresh-token-bundle
./composer.json has been updated
Running composer update gesdinet/jwt-refresh-token-bundle
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking gesdinet/jwt-refresh-token-bundle (v1.1.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Downloading gesdinet/jwt-refresh-token-bundle (v1.1.1)
  - Installing gesdinet/jwt-refresh-token-bundle (v1.1.1): Extracting archive
Generating optimized autoload files
116 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

然后是:

Symfony operations: 1 recipe (44a1f19720c3d647b7a54653d52ca981)
  -  WARNING  gesdinet/jwt-refresh-token-bundle (>=1.0): From github.com/symfony/recipes-contrib:main
    The recipe for this package comes from the "contrib" repository, which is open to community contributions.
    Review the recipe at https://github.com/symfony/recipes-contrib/tree/main/gesdinet/jwt-refresh-token-bundle/1.0

仔细阅读警告并输入“ y”以继续:

    Do you want to execute this recipe?
    [y] Yes
    [n] No
    [a] Yes for all packages, only for the current installation session
    [p] Yes permanently, never ask again for this project
    (defaults to n): y

其余的是:

  - Configuring gesdinet/jwt-refresh-token-bundle (>=1.0): From github.com/symfony/recipes-contrib:main
Executing script cache:clear [OK]
Executing script assets:install public [OK]

 What's next? 


Some files have been created and/or updated to configure your new packages.
Please review, edit and commit them: these files are yours.

No security vulnerability advisories found

2.将其改编为PHP 8(当前)

好吧,有一个问题。默认情况下,它不熟悉PHP 8和Symfony 6,因为它使用了annotations。但是,没有Symfony Flex的必要条件是attributes
要修复它,编辑src/Entity/RefreshToken.php

- /**
-  * @ORM\Entity
-  * @ORM\Table("refresh_tokens")
-  */
+ #[ORM\Entity]
+ #[ORM\Table(name: 'refresh_token')]

然后运行:

$ composer install

3.更新数据库

您也许熟悉这些命令行。运行它们:

$ php bin/console make:migration
$ php bin/console doctrine:migrations:migrate

4.为刷新令牌配置路线和防火墙

编辑config/routes.yaml

  # ...
  jwt_auth:
      path: /auth
+ jwt_refresh:
+     path: /auth/refresh

然后编辑config/packages/security.yaml

  security:
      # ...
      firewalls:
          # ...
          jwt_auth:
              pattern: ^/auth
              stateless: true
              json_login:
                  check_path: jwt_auth
                  success_handler: lexik_jwt_authentication.handler.authentication_success
                  failure_handler: lexik_jwt_authentication.handler.authentication_failure
          api:
              pattern: ^/api
              stateless: true
              jwt: ~
+             refresh_jwt:
+                 check_path: jwt_refresh
          # ...
     # Note: Only the *first* access control that matches will be used
     access_control:
         # ...
         - { path: ^/auth, roles: PUBLIC_ACCESS }
         - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }

另外,您可能需要集成AUTH和使用的API路由:

security:
    # ...
    firewalls:
        # ...
        api:
            pattern: ^/api
            stateless: true
            json_login:
                check_path: jwt_auth
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            jwt: ~
            entry_point: jwt
            refresh_jwt:
                check_path: jwt_refresh

就是这样!

5.让我们玩:与JWT访问API

就像my previous post一样,与curl连接到 /auth以获取令牌:

$ curl -X POST \
      -H "Content-Type: application/json" \
      -d '{"username":"your-username","password":"your-password"}' \
      https://your-domain/auth

您将获得刷新令牌和访问令牌。

{"token":"xxx.xxx.xxx","refresh_token":"xxx"}

gotchað
让我们尝试一些刷新令牌!

缺少ð©:
的情况

$ curl -X POST \
      https://(your-domain)/auth/refresh
{"code":401,"message":"Missing JWT Refresh Token"}

无效的情况ð©:

$ curl -X POST \
      -d refresh_token="wrong-value" \
      https://(your-domain)/auth/refresh
{"code":401,"message":"JWT Refresh Token Not Found"}

有效的情况ð:

$ curl -X POST \
      -d refresh_token="xxx" \
      https://(your-domain)/auth/refresh
{"token":"xxx.xxx.xxx","refresh_token":"xxx"}

是的