JSON Web Token Cookie Login

clarkwinkelmann

JSON Web Token Cookie Login

This extension implements quasi-stateless JWT-based sessions in Flarum.

The use case for this extension is implementing global login with an external platform serving as the master.
Your code is responsible for setting and updating the cookie, and Flarum will automatically connect and/or create users based on the content of the JWT.
No example code is available for the master implementation.
The information in the README should allow you to implement it in any programming language.

Users are matched through the jwt_subject column in the database that is matched to the token's sub value.

By default, tokens are validated using Google Firebase public keys (automatically retrieved and cached from Google servers) but custom keys can also be used.

A callback hook can be defined to obtain default values for new users from an external API.

Users can be edited via their JWT subject ID by using the PATCH /api/jwt/users/<sub> endpoint.
It works exactly the same way as PATCH /api/users/<id> but takes the JWT subject ID instead of Flarum ID.

The original Flarum session object (Symfony session) and cookie are not used for stateless authentication, however the cookie session is kept because Flarum and some extensions cannot work without it.
This session object is not invalidated during "login" and "logout" of the stateless JWT authentication, so there could be issues with extensions that rely on that object for other purposes than validation messages.

An optional hidden iframe with cross-window messaging can be used to trigger auto-login and auto-logout, or to update the JWT continuously with a longer lifetime.

See up to date documentation for the hooks and iframe implementation in the README clarkwinkelmann/flarum-ext-jwt-cookie-login

Installation

composer require clarkwinkelmann/flarum-ext-jwt-cookie-login

Support

This extension is under minimal maintenance.

It was developed for a client and released as open-source for the benefit of the community.
I might publish simple bugfixes or compatibility updates for free.

You can contact me to sponsor additional features or updates.

Support is offered on a "best effort" basis through the Flarum community thread.

Sponsors: Dater.com

Links

hereistheme

is this enable and forget about it without any other settings?

clarkwinkelmann

hereistheme you need to write the code that sets the cookie. And implement an endpoint that can be used by the hook and/or iframe if you wish to use those features.

Most likely you will need to modify the settings to match your implementation because the defaults are very generic. It's been tested with a Firebase-powered setup but it's not a drop-in solution. I cannot share any of the Firebase code because it's closed source. The theory is quite simple and flexible to implement in a variety of languages and backends though.

I'm happy to answer any question, and additional features can be sponsored if someone wants to build something more advanced on top of this.

hereistheme

clarkwinkelmann understood, thank you! 😃

Sanyu

Hi!

I'm trying this plugin with a Supabase database and I'm currently stuck with a "Signature verification failed" error. Here you can find the logs with the jwt (test email), public key and algo in Debug Mode at the top of the logs:

[2022-07-01 20:37:53] flarum.INFO: jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjU2NzExNDY4LCJzdWIiOiJkZGE0NGNiYi02YjM1LTQ0NDItODZhZS04YzZjZDY0MTAwMjIiLCJlbWFpbCI6ImhlbGFrNTM2MjBAbWVpZGlyLmNvbSIsInBob25lIjoiIiwiYXBwX21ldGFkYXRhIjp7InByb3ZpZGVyIjoiZW1haWwiLCJwcm92aWRlcnMiOlsiZW1haWwiXX0sInVzZXJfbWV0YWRhdGEiOnt9LCJyb2xlIjoiYXV0aGVudGljYXRlZCJ9.11leQXnarVtGpTpmXH5sC_D-pP3tGamfSXk187jQdMM  
[2022-07-01 20:37:53] flarum.INFO: public key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImlucmpxeGd6bnJ1anZteG5qcGptIiwicm9sZSI6ImFub24iLCJpYXQiOjE2NTU3NTkzNDgsImV4cCI6MTk3MTMzNTM0OH0.8jfboZuSGzWHeQbGrRNQZPNXkDplx-vgyL6jA4l1B68  
[2022-07-01 20:37:53] flarum.INFO: public key algo: HS256  
[2022-07-01 20:37:53] flarum.INFO: Invalid JWT cookie: Firebase\JWT\SignatureInvalidException: Signature verification failed in /path/to/flarum/vendor/firebase/php-jwt/src/JWT.php:140
Stack trace:
#0 /path/to/flarum/vendor/clarkwinkelmann/flarum-ext-jwt-cookie-login/src/Middleware/AuthenticateWithJWT.php(72): Firebase\JWT\JWT::decode()
#1 /path/to/flarum/vendor/clarkwinkelmann/flarum-ext-jwt-cookie-login/src/Middleware/AuthenticateWithJWT.php(42): ClarkWinkelmann\JWTCookieLogin\Middleware\AuthenticateWithJWT->getUser()
#2 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): ClarkWinkelmann\JWTCookieLogin\Middleware\AuthenticateWithJWT->process()
#3 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(31): Laminas\Stratigility\Next->handle()
#4 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\AuthenticateWithSession->process()
#5 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(52): Laminas\Stratigility\Next->handle()
#6 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\RememberFromCookie->process()
#7 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Laminas\Stratigility\Next->handle()
#8 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\StartSession->process()
#9 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/CollectGarbage.php(46): Laminas\Stratigility\Next->handle()
#10 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\CollectGarbage->process()
#11 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Laminas\Stratigility\Next->handle()
#12 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\ParseJsonBody->process()
#13 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Laminas\Stratigility\Next->handle()
#14 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\HandleErrors->process()
#15 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php(25): Laminas\Stratigility\Next->handle()
#16 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\InjectActorReference->process()
#17 /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(76): Laminas\Stratigility\Next->handle()
#18 /path/to/flarum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Laminas\Stratigility\MiddlewarePipe->process()
#19 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Middlewares\RequestHandler->process()
#20 /path/to/flarum/vendor/middlewares/base-path-router/src/BasePathRouter.php(101): Laminas\Stratigility\Next->handle()
#21 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Middlewares\BasePathRouter->process()
#22 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php(36): Laminas\Stratigility\Next->handle()
#23 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Laminas\Stratigility\Middleware\OriginalMessages->process()
#24 /path/to/flarum/vendor/middlewares/base-path/src/BasePath.php(73): Laminas\Stratigility\Next->handle()
#25 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Middlewares\BasePath->process()
#26 /path/to/flarum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php(24): Laminas\Stratigility\Next->handle()
#27 /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php(51): Flarum\Http\Middleware\ProcessIp->process()
#28 /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(76): Laminas\Stratigility\Next->handle()
#29 /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php(65): Laminas\Stratigility\MiddlewarePipe->process()
#30 /path/to/flarum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php(96): Laminas\Stratigility\MiddlewarePipe->handle()
#31 /path/to/flarum/vendor/flarum/core/src/Http/Server.php(44): Laminas\HttpHandlerRunner\RequestHandlerRunner->run()
#32 /path/to/flarum/public/index.php(26): Flarum\Http\Server->listen()
#33 {main}

I inserted the token and the public key on jwt.io and the signature is verified.

Is there something I forgot to do? I didn't add a registration hook endpoint and hidden iframe url if that matters.

clarkwinkelmann

Sanyu did you modify the code to get that debug output? The error log is not formatted according to what I expect from the extension.

Is the JWT value correctly set in the cookie without any leading or trailing space or newline?

If the cookie is empty or the wrong cookie name is used, debug mode should log "No JWT cookie" so it's probably not this.

If everything looks right on that side, then maybe it's a timezone issue? You can try increasing the leeway temporarily to see if it changes anything? Again it doesn't seem to be this based on the exception message but we never know.

Have you also tried with an RS256 key? Was there any difference? I think I have only ever tested with RS256 so maybe it's an algo-specific error? I can't test right now but if you can confirm this I'll check it out asap.

EDIT: also, can you confirm the version of the extension you are running? Officially there's only 1.0.0 but there have been numerous iterations on dev-master prior to release so I want to double-check.

Sanyu

clarkwinkelmann Thank you for your suggestions!

The extension version I'm using is 1.0.0.
Yes, I've added the exception from your try catch, thought it could help with debugging.

I tried generating an RS256 token and another generated HS256 and the signature verification works on both tokens. It seems like the issue is the "exp" attribute in the Supabase token so I'll have to look more into it.

But with the first 2 tokens, I'm still getting the following error:

Illuminate\Validation\ValidationException: The given data was invalid. in file /path/to/flarum/vendor/flarum/core/src/Foundation/AbstractValidator.php on line 64
Stack trace:
  1. Illuminate\Validation\ValidationException-&gt;() /path/to/flarum/vendor/flarum/core/src/Foundation/AbstractValidator.php:64
  2. Flarum\Foundation\AbstractValidator-&gt;assertValid() /path/to/flarum/vendor/fof/recaptcha/src/Listeners/RegisterValidate.php:37
  3. FoF\ReCaptcha\Listeners\RegisterValidate-&gt;handle() /path/to/flarum/vendor/illuminate/events/Dispatcher.php:424
  4. Illuminate\Events\Dispatcher-&gt;Illuminate\Events\{closure}() /path/to/flarum/vendor/illuminate/events/Dispatcher.php:249
  5. Illuminate\Events\Dispatcher-&gt;dispatch() /path/to/flarum/vendor/flarum/core/src/User/Command/RegisterUserHandler.php:114
  6. Flarum\User\Command\RegisterUserHandler-&gt;handle() /path/to/flarum/vendor/illuminate/bus/Dispatcher.php:122
  7. Illuminate\Bus\Dispatcher-&gt;Illuminate\Bus\{closure}() /path/to/flarum/vendor/illuminate/pipeline/Pipeline.php:128
  8. Illuminate\Pipeline\Pipeline-&gt;Illuminate\Pipeline\{closure}() /path/to/flarum/vendor/illuminate/pipeline/Pipeline.php:103
  9. Illuminate\Pipeline\Pipeline-&gt;then() /path/to/flarum/vendor/illuminate/bus/Dispatcher.php:132
 10. Illuminate\Bus\Dispatcher-&gt;dispatchNow() /path/to/flarum/vendor/illuminate/bus/Dispatcher.php:78
 11. Illuminate\Bus\Dispatcher-&gt;dispatch() /path/to/flarum/vendor/clarkwinkelmann/flarum-ext-jwt-cookie-login/src/Middleware/AuthenticateWithJWT.php:153
 12. ClarkWinkelmann\JWTCookieLogin\Middleware\AuthenticateWithJWT-&gt;getUser() /path/to/flarum/vendor/clarkwinkelmann/flarum-ext-jwt-cookie-login/src/Middleware/AuthenticateWithJWT.php:42
 13. ClarkWinkelmann\JWTCookieLogin\Middleware\AuthenticateWithJWT-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 14. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php:31
 15. Flarum\Http\Middleware\AuthenticateWithSession-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 16. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php:52
 17. Flarum\Http\Middleware\RememberFromCookie-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 18. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/StartSession.php:61
 19. Flarum\Http\Middleware\StartSession-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 20. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/CollectGarbage.php:46
 21. Flarum\Http\Middleware\CollectGarbage-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 22. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php:28
 23. Flarum\Http\Middleware\ParseJsonBody-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 24. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php:57
 25. Flarum\Http\Middleware\HandleErrors-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 26. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/InjectActorReference.php:25
 27. Flarum\Http\Middleware\InjectActorReference-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 28. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php:76
 29. Laminas\Stratigility\MiddlewarePipe-&gt;process() /path/to/flarum/vendor/middlewares/request-handler/src/RequestHandler.php:84
 30. Middlewares\RequestHandler-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 31. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/middlewares/base-path-router/src/BasePathRouter.php:101
 32. Middlewares\BasePathRouter-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 33. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Middleware/OriginalMessages.php:36
 34. Laminas\Stratigility\Middleware\OriginalMessages-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 35. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/middlewares/base-path/src/BasePath.php:73
 36. Middlewares\BasePath-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 37. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/flarum/core/src/Http/Middleware/ProcessIp.php:24
 38. Flarum\Http\Middleware\ProcessIp-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/Next.php:51
 39. Laminas\Stratigility\Next-&gt;handle() /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php:76
 40. Laminas\Stratigility\MiddlewarePipe-&gt;process() /path/to/flarum/vendor/laminas/laminas-stratigility/src/MiddlewarePipe.php:65
 41. Laminas\Stratigility\MiddlewarePipe-&gt;handle() /path/to/flarum/vendor/laminas/laminas-httphandlerrunner/src/RequestHandlerRunner.php:96
 42. Laminas\HttpHandlerRunner\RequestHandlerRunner-&gt;run() /path/to/flarum/vendor/flarum/core/src/Http/Server.php:44
 43. Flarum\Http\Server-&gt;listen() /path/to/flarum/public/index.php:26

Logs

[2022-07-06 18:22:16] flarum.INFO: jwt: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI5OTZmYjAzNS04YmRkLTQ0OGMtYmJjMC1mMGE5MzE0ODI0NjMiLCJuYW1lIjoiRmxhcnVtIFVzZXIiLCJ1c2VybmFtZSI6ImZsYXJ1bVRlc3RlciIsImVtYWlsIjoidGVzdEBmbGFydW0uY29tIn0.KlSmjl6wELxyfqZhXcQyXW9PL5mm-sUy9nylwInpPpANC3qX_IH5gAHBYvXfZr88CDWiCLoWHzPB2AEBvHo-Ley_Xs_gXDMZNQ2HovLUq5wQzRCEUTYuORvYupz16DnPBaMydvZPyOHk4Fzoc-T46mNbTMiiOQfkCS7GN4ype1wV7_Wa8Yg01WBMVOijKrdrIUTacPuYddFdhbBHukdx1wx2GRNGt1kHxbpIZK5ynICPapML43HjQ71XJlZcxTF4DWQE3yC8q2U-j-Uw2AJs2xOwor_azk0rZ4inB_U4-1GNpADd7b07R1u6n5y_UALetPyOLF-0kK-FBQrnfrV-UQ  
[2022-07-06 18:22:16] flarum.INFO: public key: -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmwIDAQAB
-----END PUBLIC KEY-----  
[2022-07-06 18:22:16] flarum.INFO: public key algo: RS256  
[2022-07-06 18:22:16] flarum.INFO: Performing internal request to POST /api/users with data:
{
    "attributes": {
        "isEmailConfirmed": true,
        "password": "xX56iee2HMO573ZSOay6c4RwqcxtxtPo",
        "username": "flarumTester",
        "email": "test@flarum.com"
    }
}  
[2022-07-06 18:22:28] flarum.INFO: jwt:   
[2022-07-06 18:22:28] flarum.INFO: No JWT cookie

My flarum admin account has ID 1 so do you know what it could be?

clarkwinkelmann

Sanyu /path/to/flarum/vendor/fof/recaptcha/src/Listeners/RegisterValidate.php:37

It seems like you have the recaptcha extension enabled. It appears to conflict with this extension by trying to validate the captcha when a user is registered internally via the JWT.

I'm not sure what to suggest about the exp attribute, you need to make sure it's a date in the future.

PRISS

I recently encountered flarum and am using it. Thank you for sharing good functions.
Registration Hook Endpoint is not currently in progress in flarum version .
I can't call you. Even if you enter test_url, you can't call.

clarkwinkelmann

PRISS what have you tried? Have you tried a local URL, can you reach the same endpoint with curl ?

If I remember correctly this extension logs a lot of things to Flarum's log file, not just errors. Enable debug mode, try again and share any log that was generated.

PRISS

clarkwinkelmann thx

I checked the log and it was resolved.
An error occurred because the username received as json was in unicode format.
It was a decoding problem.

{
"attributes": {
"isEmailConfirmed": true,
"password": "aTw4h1Tti4ZCBUE1sVr83HxSCtfISG8m",
"username": "\ud638\ub871\ubd88",
"email": "email@ 🇬 "
},
"type": "users"
}