Internal Auth with JWT

[kubacode]

So i'm probably just up too late at night and have thinking in to things too far, but I can't for the life of me figure out how I store a JWT token to be used for Internal Requests.

Do I just store the token in a session? If I do store in a session, would the best way to attach the token to all requests be through middleware? I'm sure I'm missing something really simple, but I can't for the life of me see how this is done from the Wiki documentation.

Thanks in advance for your help!

[catalinux]

Can you be more explicit about: "Internal Request"? What is your case?

[kubacode]

Ok, my use case is I'm setting up an API in Laravel, and I also want to drive a web interface for this app from the same Laravel instance.

I want to use the API in the web interface, so don't want to use the built in Laravel Auth for the web interface, I want to use the API to log in - hope this provide a bit more of an overview as to what I'm trying to achieve - let me know if you need any more details. Thanks for your help :)

[jasonlewis]

Storing it in a session should be fine. You could attach the token in a number of ways. You could attach it in a base controller, or, as you pointed out, in a middleware. This is untested but in theory it should work.

Your middleware should look something like this:

class InjectJwtToken
{
    public function __construct(SessionManager $session)
    {
        $this->session = $session;
    }

    public function handle($request, Closure $next)
    {
        if ($request instanceof Dingo\Api\Http\InternalRequest) {
            if ($session->has('jwt_token')) {
                $request->headers->set('authorization', sprintf('Bearer %s', $session->get('jwt_token')));
            }
        }

        return $next($request);
    }
}

Something like that.

[kubacode]

Awesome, thanks for the response - I'll try implementing this evening and let you know how I go :)

[kubacode]

Hrm, I'm getting a UnauthorizedHttpException thrown from the Dingo\Api\Auth Auth class, with the message 'Failed to authenticate because of bad credentials or an invalid authorization header.'.

I've dumped the header and grabbed out the token set in the header and send a request through using Poster and this goes through fine - any hints as to what could be going on?

[jasonlewis]

Are you able to confirm in the authentication route that the header is being sent? Dump out app('request')->headers for example and see what's there.

Also how have you configured your middleware?

I'll try to test this out later and see if I can get it working.

[kubacode]

Headers set are:

HeaderBag {#46 ▼
  #headers: array:11 [▼
    "content-type" => array:1 [▶]
    "content-length" => array:1 [▶]
    "host" => array:1 [▶]
    "accept" => array:1 [▶]
    "connection" => array:1 [▶]
    "cookie" => array:1 [▶]
    "user-agent" => array:1 [▶]
    "accept-language" => array:1 [▶]
    "cache-control" => array:1 [▶]
    "accept-encoding" => array:1 [▶]
    "authorization" => array:1 [▼
      0 => "Bearer {redacted}"
    ]
  ]
  #cacheControl: array:1 [▶]
}

I've got a Route Group for my web app and I'm applying the InjectJwtToken middleware to this entire route group.

Middleware is:

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Dingo\Api\Routing\Helpers;
class InjectJwtToken
{
    use Helpers;

    protected $session;

    public function __construct(Request $request)
    {
        $this->session = $request->session();
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($this->session->has('jwt_token')) {
            $request->headers->set('Authorization', 'Bearer ' . $this->session->get('jwt_token'));
            dd(app('request')->headers);
            $this->api->get('/v1/user');
        }

        return $next($request);
    }
}

Obviously $this->api->get('/v1/user'); is just set to check that the JWT token is successfully authenticated.

Let me know if I can provide any more detail that would be helpful - thanks for all your help!

[jasonlewis]

Can you try that dd in that actual route. Not before the request is
dispatched, but in the actual route that is being dispatched (v1/users). By
the way, avoid versioning in your URL, that's what content negotiation is
for, e.g., the accept header.

On Thu, 20 Aug 2015 at 19:18 Jacob Piers-Blundell notifications@github.com
wrote:

Headers se are:

HeaderBag {#46 ▼
#headers: array:11 [▼
"content-type" => array:1 [▶]
"content-length" => array:1 [▶]
"host" => array:1 [▶]
"accept" => array:1 [▶]
"connection" => array:1 [▶]
"cookie" => array:1 [▶]
"user-agent" => array:1 [▶]
"accept-language" => array:1 [▶]
"cache-control" => array:1 [▶]
"accept-encoding" => array:1 [▶]
"authorization" => array:1 [▼
0 => "Bearer {redacted}"
]
]
#cacheControl: array:1 [▶]
}

I've got a Route Group for my web app and I'm applying the InjectJwtToken
middleware to this entire route group.

Middleware is:

session = $request->session(); } /*\* \* Handle an incoming request. \* \* @param \Illuminate\Http\Request $request \* @param \Closure $next \* @return mixed */ public function handle($request, Closure $next) { if ($this->session->has('jwt_token')) { $request->headers->set('Authorization', 'Bearer ' . $this->session->get('jwt_token')); dd(app('request')->headers); $this->api->get('/v1/user'); } return $next($request); }} Obviously $this->api->get('/v1/user'); is just set to check that the JWT token is successfully authenticated. Let me know if I can provide any more detail that would be helpful - thanks for all your help! — Reply to this email directly or view it on GitHub https://github.com//issues/589#issuecomment-132948071.

[kubacode]

Well theres our problem, it doesn't look like the Authorization header gets set in the internal request!

HeaderBag {#294 ▼
  #headers: array:5 [▼
    "host" => array:1 [▶]
    "user-agent" => array:1 [▶]
    "accept" => array:1 [▶]
    "accept-language" => array:1 [▶]
    "accept-charset" => array:1 [▶]
  ]
  #cacheControl: []
}

Noted RE version in URL - I'll work on this once we get the internal requests working :)

[jasonlewis]

Okay I just looked at your code properly. Take a careful look at my example.

You should only be doing this on internal requests. As external requests you should always be sending the authorization header. So you'll need that if statement.

You also shouldn't be calling $this->api inside your middleware. The middleware will be run when the request is dispatched. That's why you add the header to your request payload then dispatch the request.

[kubacode]

Right that makes sense now! I've modified the middleware and moved the middleware from the web app route group to the API route group and I'm getting the expected response.

Thanks for all your help!