I have a production environment (the version is the same than my development envirnoments). On my development environment, sending a GET request to a route behind the JWT firewall with the Authorization header like: Bearer <token> all works fine. On the production environment I GET 401 JWT Token not found errrors for the same routes.
Here is my LexikJWTAuthenticationBundle configuration:
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(resolve:JWT_PASSPHRASE)%'
token_ttl: '%env(resolve:JWT_TOKEN_TTL)%'
user_identity_field: username
encoder:
signature_algorithm: HS256
token_extractors:
authorization_header:
enabled: true
prefix: Bearer
name: Authorization
Here is my security.yml:
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
encoders:
App\Document\User:
algorithm: auto
providers:
user_mongo:
mongodb:
class: App\Document\User
property: email
role_hierarchy:
ROLE_RIDER: ROLE_USER
ROLE_SELLER: ROLE_USER
ROLE_ADMIN: ROLE_USER, ROLE_SELLER
ROLE_SUPER_ADMIN: ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: user_mongo
form_login:
check_path: /api/login
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api_refresh:
pattern: ^/api/refreshtoken
stateless: true
anonymous: true
api_doc:
pattern: ^/api/doc
anonymous: true
provider: user_mongo
api:
pattern: ^/api
stateless: true
anonymous: ~
provider: user_mongo
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
anonymous: ~
pattern: ^/
form_login:
login_path: login
check_path: login
csrf_token_generator: security.csrf.token_manager
provider: user_mongo
remember_me:
secret: '%kernel.secret%'
lifetime: 604800
path: /
logout:
invalidate_session: true
path: /logout
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/api/ping$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/register$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/refreshtoken$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/frontendconfiguration, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/doc, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, role: IS_AUTHENTICATED_FULLY }
- { path: ^/api/admin, role: ROLE_ADMIN }
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_ADMIN }
Why form_login instead of json_login under api_login firewall ?
@fd6130 It was a mistake but I don't think it will solve my issue. Gonna check this now.
EDIT: This is not a mistake, it's juste to not send the credentials as JSON but as two form-data POST fields.
@fd6130 It was a mistake but I don't think it will solve my issue. Gonna check this now.
EDIT: This is not a mistake, it's juste to not send the credentials as JSON but as two form-data POST fields.
Have you tried clear cache? And also maybe prod.log have some clues about the issue?
@fd6130 When I access a route protected by the firewall. I switched to dev mode but the problem is still the same.
Here is the log:
[2020-02-19 15:02:09] request.INFO: Matched route "api_list_businesses". {"route":"api_list_businesses","route_parameters":{"_route":"api_list_businesses","_controller":"App\\Controller\\BusinessController::listAction"},"request_uri":"http://backend.fidzee.fr/api/businesses","method":"GET"} []
[2020-02-19 15:02:09] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"api","authenticators":1} []
[2020-02-19 15:02:09] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"api","authenticator":"Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Guard\\JWTTokenAuthenticator"} []
[2020-02-19 15:02:09] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"api","authenticator":"Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Guard\\JWTTokenAuthenticator"} []
[2020-02-19 15:02:09] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2020-02-19 15:02:09] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /var/www/fidzee/vendor/symfony/security-http/Firewall/AccessListener.php:99)"} []
[2020-02-19 15:02:09] security.DEBUG: Calling Authentication entry point. [] []
I figured out how to fix it, the Authorization header was filtered out by Apache. Just added SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to my vhost configuration did the job.
Most helpful comment
I figured out how to fix it, the Authorization header was filtered out by Apache. Just added
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1to my vhost configuration did the job.