Jwt-auth: How to refresh token in 1.0.0-rc1

Created on 1 Nov 2017  路  4Comments  路  Source: tymondesigns/jwt-auth

Hi!

In v0.5.*, I was used to refresh token using the middleware route "jwt.refresh". But it seems to not working in the new version.

How can I do that?

picture okt-pcournoyer

Most helpful comment

There may be a built in solution, but we decided to roll our own middleware (based on this blog post). Feel free to copy/modify if you want:

<?php

namespace BlackoutWeb\Http\Middleware;

use Closure;
use Tymon\JWTAuth\Facades\JWTAuth;
use Tymon\JWTAuth\Token;
use Tymon\JWTAuth\Exceptions\JWTException;
use Tymon\JWTAuth\Exceptions\TokenBlacklistedException;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;

/* Authenticate an incoming API request's JWT token. */
class WebAdminAuthorization
{
    public function handle($request, Closure $next)
    {
        try {
            JWTAuth::parseToken();
            $token = JWTAuth::getToken();
        } catch (JWTException $e) {
            abort(401, 'Token missing or badly formatted');
        }

        // Try to verify token
        try {
            // If sucessful, save user on request
            $request->user = JWTAuth::authenticate($token);
        }

        catch (TokenBlacklistedException $e) {
            abort(401, 'Token "' . JWTAuth::manager()->decode($token, false)['jti'] . '" Blacklisted');
        }

        // If token has expired...
        catch (TokenExpiredException $e) {

            try {
                // Try to refresh token
                $token = JWTAuth::refresh($token);
                JWTAuth::setToken($token);    

                // Authenticate with new token, save user on request
                $request->user = JWTAuth::authenticate($token);
            }

            // If token refresh period has expired...
            catch(TokenExpiredException $e) {

                // Return 401 status
                abort(401, 'Token Expired');
            }
        }

        return $next($request);
    }
}
picture nicoburns on 7 Nov 2017
👍14

All 4 comments

There may be a built in solution, but we decided to roll our own middleware (based on this blog post). Feel free to copy/modify if you want:

<?php

namespace BlackoutWeb\Http\Middleware;

use Closure;
use Tymon\JWTAuth\Facades\JWTAuth;
use Tymon\JWTAuth\Token;
use Tymon\JWTAuth\Exceptions\JWTException;
use Tymon\JWTAuth\Exceptions\TokenBlacklistedException;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;

/* Authenticate an incoming API request's JWT token. */
class WebAdminAuthorization
{
    public function handle($request, Closure $next)
    {
        try {
            JWTAuth::parseToken();
            $token = JWTAuth::getToken();
        } catch (JWTException $e) {
            abort(401, 'Token missing or badly formatted');
        }

        // Try to verify token
        try {
            // If sucessful, save user on request
            $request->user = JWTAuth::authenticate($token);
        }

        catch (TokenBlacklistedException $e) {
            abort(401, 'Token "' . JWTAuth::manager()->decode($token, false)['jti'] . '" Blacklisted');
        }

        // If token has expired...
        catch (TokenExpiredException $e) {

            try {
                // Try to refresh token
                $token = JWTAuth::refresh($token);
                JWTAuth::setToken($token);    

                // Authenticate with new token, save user on request
                $request->user = JWTAuth::authenticate($token);
            }

            // If token refresh period has expired...
            catch(TokenExpiredException $e) {

                // Return 401 status
                abort(401, 'Token Expired');
            }
        }

        return $next($request);
    }
}
nicoburns picture nicoburns on 7 Nov 2017
👍14

My AuthController, the jwt.refresh middleware will add the refreshed token to the response header (Authorization).

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class AuthController extends Controller
{
    /**
     * Create a new AuthController instance.
     *
     */
    public function __construct()
    {
        $this->middleware('jwt.refresh')->only('refresh');
        $this->middleware('auth:api', ['except' => ['login', 'refresh']]);
    }

    /**
     * Get a JWT token via given credentials.
     *
     * @param  \Illuminate\Http\Request  $request
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        if ($token = $this->guard()->attempt($credentials)) {
            return $this->respondWithToken($token);
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }

    /**
     * Get the authenticated User
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function me()
    {
        return response()->json($this->guard()->user());
    }

    /**
     * Log the user out (Invalidate the token)
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function logout()
    {
        $this->guard()->logout();

        return response()->json(['message' => 'Successfully logged out']);
    }

    /**
     * Refresh a token.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function refresh()
    {
        return response()->json();
    }

    /**
     * Get the token array structure.
     *
     * @param  string $token
     *
     * @return \Illuminate\Http\JsonResponse
     */
    protected function respondWithToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' => $this->guard()->factory()->getTTL() * 60
        ]);
    }

    /**
     * Get the guard to be used during authentication.
     *
     * @return \Illuminate\Contracts\Auth\Guard
     */
    public function guard()
    {
        return Auth::guard();
    }
}
incon picture incon on 7 Nov 2017
👍5

Hi everyone! I'm trying to refresh a token but I'm slightly confused by the fact that the refreshed token has the same iat as the original one (which is both mentioned in the docs and the blog post).

Because of this, the refreshed token expires at the same moment as the original one, right? At least, that's what I'm experiencing at the moment. Am I just misunderstanding the concept or what am I doing wrong?

Currently using 1.0.0-rc2 btw ;)

remipelhate picture remipelhate on 8 Mar 2018
👍4 😕2

Take a look at @philliperosario post here #1355, magnificent work!

Robinda picture Robinda on 14 Jun 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

johncloud200 picture johncloud200  路  3Comments
functionpointdaniel picture functionpointdaniel  路  3Comments
hfalucas picture hfalucas  路  3Comments
CBR09 picture CBR09  路  3Comments
gandra picture gandra  路  3Comments