Jwt-auth: Possible security bug

Created on 22 Apr 2017 · 2Comments · Source: tymondesigns/jwt-auth

I'm using jwt-auth in two separate applications with Laravel 5.3. And I have verified that I can authenticate in one of the applications with a token generated by the other application, in that case the application authenticates me as long as I have a user with the same id.

I have reviewed the jwt-auth code and found that to authenticate it only verifies that the token can be decoded, and in that case logs the user through the id.

I recommend that the encoding be done in combination with the key of the application generated by key: generate.

Please correct me if I am wrong.

Source

yunier0525

Most helpful comment

In your .env file, do you have a two different JWT_SECRET?

pankitgami on 22 Apr 2017

😄2 👍2

All 2 comments

In your .env file, do you have a two different JWT_SECRET?

pankitgami on 22 Apr 2017

😄2 👍2

Sorry is an copy/paste issue. I just regenerate the JWT_SECRET and is working properly now.

Thanks !

yunier0525 on 23 Apr 2017

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Using JWTGuard with Laravel 5.3.x "Guide"

mtpultz · 114Comments

Tymon\JWTAuth\Exceptions\JWTException: Could not create token: Implicit conversion of keys from strings is deprecated. Please use InMemory or LocalFileReference classes.

jxlwqq · 26Comments

The GET method is not supported for this route. Supported methods: POST - Laravel 5.8

pereiracinthiag · 32Comments

Login with JWT and Web

homeoftheunits · 29Comments

how to test token JWT with phpunit in Laravel

alihossein · 24Comments