Add set_cookies option to store JWT in secure cookies

lexik · May 28, 2020 · 9f39db2 · 9f39db2
1 parent fc67ecc
commit 9f39db2
Show file tree

Hide file tree

Showing 11 changed files with 228 additions and 16 deletions.
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -4,6 +4,7 @@
 
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
+use Symfony\Component\HttpFoundation\Cookie;
 
 /**
  * LexikJWTAuthenticationBundle Configuration.
@@ -75,6 +76,25 @@ public function getConfigTreeBuilder()
                     ->info('If null, the user ID claim will have the same name as the one defined by the option "user_identity_field"')
                 ->end()
                 ->append($this->getTokenExtractorsNode())
+                ->arrayNode('set_cookies')
+                    ->fixXmlConfig('set_cookie')
+                    ->normalizeKeys(false)
+                    ->useAttributeAsKey('name')
+                    ->prototype('array')
+                        ->children()
+                            ->scalarNode('lifetime')
+                                ->defaultNull()
+                                ->info('The cookie lifetime. If null, the "token_ttl" option value will be used')
+                            ->end()
+                            ->enumNode('samesite')
+                                ->values([Cookie::SAMESITE_NONE, Cookie::SAMESITE_LAX, Cookie::SAMESITE_STRICT])
+                                ->defaultValue(Cookie::SAMESITE_LAX)
+                            ->end()
+                            ->scalarNode('path')->defaultValue('/')->cannotBeEmpty()->end()
+                            ->scalarNode('domain')->defaultNull()->end()
+                        ->end()
+                    ->end()
+                ->end()
             ->end();
 
         return $treeBuilder;

diff --git a/DependencyInjection/LexikJWTAuthenticationExtension.php b/DependencyInjection/LexikJWTAuthenticationExtension.php
@@ -7,6 +7,8 @@
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\Console\Application;
 use Symfony\Component\DependencyInjection\Alias;
+use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
+use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
@@ -88,9 +90,30 @@ public function load(array $configs, ContainerBuilder $container)
         $container->setParameter('lexik_jwt_authentication.encoder.signature_algorithm', $encoderConfig['signature_algorithm']);
         $container->setParameter('lexik_jwt_authentication.encoder.crypto_engine', $encoderConfig['crypto_engine']);
 
+        $tokenExtractors = $this->createTokenExtractors($container, $config['token_extractors']);
         $container
             ->getDefinition('lexik_jwt_authentication.extractor.chain_extractor')
-            ->replaceArgument(0, $this->createTokenExtractors($container, $config['token_extractors']));
+            ->replaceArgument(0, $tokenExtractors);
+
+        if ($config['set_cookies']) {
+            $loader->load('cookie.xml');
+
+            $cookieProviders = [];
+            foreach ($config['set_cookies'] as $name => $attributes) {
+                $container
+                    ->setDefinition($id = "lexik_jwt_authentication.cookie_provider.$name", new ChildDefinition('lexik_jwt_authentication.cookie_provider'))
+                    ->replaceArgument(0, $name)
+                    ->replaceArgument(1, $attributes['lifetime'] ?: ($config['token_ttl'] ?: 0))
+                    ->replaceArgument(2, $attributes['samesite'])
+                    ->replaceArgument(3, $attributes['path'])
+                    ->replaceArgument(4, $attributes['domain']);
+                $cookieProviders[] = new Reference($id);
+            }
+
+            $container
+                ->getDefinition('lexik_jwt_authentication.handler.authentication_success')
+                ->replaceArgument(2, new IteratorArgument($cookieProviders));
+        }
     }
 
     private static function createTokenExtractors(ContainerBuilder $container, array $tokenExtractorsConfig)

diff --git a/Resources/config/cookie.xml b/Resources/config/cookie.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <services>
+        <service id="lexik_jwt_authentication.cookie_provider" class="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider" abstract="true">
+            <argument>null</argument> <!-- Default name -->
+            <argument>null</argument> <!-- Default lifetime -->
+            <argument/> <!-- Default samesite -->
+            <argument/> <!-- Default path -->
+            <argument>null</argument> <!-- Default domain -->
+        </service>
+    </services>
+</container>
diff --git a/Resources/config/response_interceptor.xml b/Resources/config/response_interceptor.xml
@@ -8,6 +8,7 @@
         <service id="lexik_jwt_authentication.handler.authentication_success" class="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler">
             <argument type="service" id="lexik_jwt_authentication.jwt_manager"/>
             <argument type="service" id="event_dispatcher"/>
+            <argument type="collection"/> <!-- Cookie providers -->
             <tag name="monolog.logger" channel="security" />
         </service>
         <service id="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler" alias="lexik_jwt_authentication.handler.authentication_success" />

diff --git a/Response/JWTAuthenticationSuccessResponse.php b/Response/JWTAuthenticationSuccessResponse.php
@@ -2,6 +2,7 @@
 
 namespace Lexik\Bundle\JWTAuthenticationBundle\Response;
 
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 /**
@@ -15,8 +16,18 @@ final class JWTAuthenticationSuccessResponse extends JsonResponse
      * @param string $token Json Web Token
      * @param array  $data  Extra data passed to the response
      */
-    public function __construct($token, array $data = [])
+    public function __construct($token, array $data = [], array $jwtCookies = [])
     {
-        parent::__construct(['token' => $token] + $data);
+        if (!$jwtCookies) {
+            parent::__construct(['token' => $token] + $data);
+
+            return;
+        }
+
+        parent::__construct($data);
+
+        foreach ($jwtCookies as $cookie) {
+            $this->headers->setCookie($cookie);
+        }
     }
 }
diff --git a/Security/Http/Authentication/AuthenticationSuccessHandler.php b/Security/Http/Authentication/AuthenticationSuccessHandler.php
@@ -5,6 +5,7 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface as ContractsEventDispatcherInterface;
@@ -17,16 +18,25 @@
  * AuthenticationSuccessHandler.
  *
  * @author Dev Lexik <[email protected]>
+ * @author Robin Chalas <[email protected]>
+ *
+ * @final
  */
 class AuthenticationSuccessHandler implements AuthenticationSuccessHandlerInterface
 {
+    private $cookieProviders;
+
     protected $jwtManager;
     protected $dispatcher;
 
-    public function __construct(JWTTokenManagerInterface $jwtManager, EventDispatcherInterface $dispatcher)
+    /**
+     * @param iterable|JWTCookieProvider[] $cookieProviders
+     */
+    public function __construct(JWTTokenManagerInterface $jwtManager, EventDispatcherInterface $dispatcher, $cookieProviders = [])
     {
         $this->jwtManager = $jwtManager;
         $this->dispatcher = $dispatcher;
+        $this->cookieProviders = $cookieProviders;
     }
 
     /**
@@ -43,7 +53,12 @@ public function handleAuthenticationSuccess(UserInterface $user, $jwt = null)
             $jwt = $this->jwtManager->create($user);
         }
 
-        $response = new JWTAuthenticationSuccessResponse($jwt);
+        $jwtCookies = [];
+        foreach ($this->cookieProviders as $cookieProvider) {
+            $jwtCookies[] = $cookieProvider->createCookie($jwt);
+        }
+
+        $response = new JWTAuthenticationSuccessResponse($jwt, [], $jwtCookies);
         $event    = new AuthenticationSuccessEvent(['token' => $jwt], $user, $response);
 
         if ($this->dispatcher instanceof ContractsEventDispatcherInterface) {
@@ -52,7 +67,17 @@ public function handleAuthenticationSuccess(UserInterface $user, $jwt = null)
             $this->dispatcher->dispatch(Events::AUTHENTICATION_SUCCESS, $event);
         }
 
-        $response->setData($event->getData());
+        $responseData = $event->getData();
+
+        if ($jwtCookies) {
+            unset($responseData['token']);
+        }
+
+        if ($responseData) {
+            $response->setData($responseData);
+        } else {
+            $response->setStatusCode(JWTAuthenticationSuccessResponse::HTTP_NO_CONTENT);
+        }
 
         return $response;
     }

diff --git a/Security/Http/Cookie/JWTCookieProvider.php b/Security/Http/Cookie/JWTCookieProvider.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie;
+
+use Symfony\Component\HttpFoundation\Cookie;
+
+/**
+ * Creates secure JWT cookies.
+ */
+final class JWTCookieProvider
+{
+    private $defaultName;
+    private $defaultLifetime;
+    private $defaultSameSite;
+    private $defaultPath;
+    private $defaultDomain;
+
+    /**
+     * @param string|null $defaultName
+     * @param int|null    $defaultLifetime
+     * @param string      $defaultPath
+     * @param string|null $defaultDomain
+     * @param string      $defaultSameSite
+     */
+    public function __construct($defaultName = null, $defaultLifetime = 0, $defaultSameSite = Cookie::SAMESITE_LAX, $defaultPath = '/', $defaultDomain = null)
+    {
+        $this->defaultName = $defaultName;
+        $this->defaultLifetime = $defaultLifetime;
+        $this->defaultSameSite = $defaultSameSite;
+        $this->defaultPath = $defaultPath;
+        $this->defaultDomain = $defaultDomain;
+    }
+
+    /**
+     * Creates a secure cookie containing the passed JWT.
+     *
+     * For each argument (all args except $jwt), if it is omitted or set to null then the
+     * default value defined via the constructor will be used.
+     *
+     * @param string                             $jwt
+     * @param string|null                        $name
+     * @param int|string|\DateTimeInterface|null $expiresAt
+     * @param string|null                        $sameSite
+     * @param string|null                        $path
+     * @param string|null                        $domain
+     *
+     * @return Cookie
+     */
+    public function createCookie($jwt, $name = null, $expiresAt = null, $sameSite = null, $path = null, $domain = null)
+    {
+        if (!$name && !$this->defaultName) {
+            throw new \LogicException(sprintf('The cookie name must be provided, either pass it as 2nd argument of %s or set a default name via the constructor.', __METHOD__));
+        }
+
+        if (!$expiresAt && !$this->defaultLifetime) {
+            throw new \LogicException(sprintf('The cookie expiration time must be provided, either pass it as 3rd argument of %s or set a default lifetime via the constructor.', __METHOD__));
+        }
+
+        return new Cookie(
+            $name ?: $this->defaultName,
+            $jwt,
+            null === $expiresAt ? (time() + $this->defaultLifetime) : $expiresAt,
+            $path ?: $this->defaultPath,
+            $domain ?: $this->defaultDomain,
+            true,
+            true,
+            false,
+            $sameSite ?: $this->defaultSameSite
+        );
+    }
+}
diff --git a/Tests/Functional/GetTokenTest.php b/Tests/Functional/GetTokenTest.php
@@ -8,6 +8,8 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
+use Symfony\Component\HttpFoundation\Cookie;
+use Symfony\Component\HttpFoundation\Response;
 
 class GetTokenTest extends TestCase
 {
@@ -21,9 +23,7 @@ public function testGetToken()
         $this->assertInstanceOf(JWTAuthenticationSuccessResponse::class, $response);
         $this->assertTrue($response->isSuccessful());
 
-        $body = json_decode($response->getContent(), true);
-
-        $this->assertArrayHasKey('token', $body, 'The response should have a "token" key containing a JWT Token.');
+        $this->getToken($response);
     }
 
     public function testGetTokenWithListener()
@@ -44,9 +44,7 @@ public function testGetTokenWithListener()
         });
 
         static::$client->request('POST', '/login_check', ['_username' => 'lexik', '_password' => 'dummy']);
-        $body = json_decode(static::$client->getResponse()->getContent(), true);
-
-        static::$client->request('GET', '/api/secured', [], [], [ 'HTTP_AUTHORIZATION' => "Bearer ".$body['token'] ]);
+        static::$client->request('GET', '/api/secured', [], [], [ 'HTTP_AUTHORIZATION' => "Bearer ".$this->getToken(static::$client->getResponse()) ]);
 
         $this->assertArrayHasKey('added_data', $payloadTested->payload, 'The payload should contains a "added_data" claim.');
         $this->assertSame('still visible after the event', $payloadTested->payload['added_data'], 'The "added_data" claim should be equal to "still visible after the event".');
@@ -64,14 +62,13 @@ public function testGetTokenWithCustomClaim()
 
         static::$client->request('POST', '/login_check', ['_username' => 'lexik', '_password' => 'dummy']);
 
-        $body    = json_decode(static::$client->getResponse()->getContent(), true);
         $decoder = static::$kernel->getContainer()->get('lexik_jwt_authentication.encoder');
-        $payload = $decoder->decode($body['token']);
+        $payload = $decoder->decode($token = $this->getToken(static::$client->getResponse()));
 
         $this->assertArrayHasKey('custom', $payload, 'The payload should contains a "custom" claim.');
         $this->assertSame('dummy', $payload['custom'], 'The "custom" claim should be equal to "dummy".');
 
-        $jws = (new Parser())->parse((string) $body['token']);
+        $jws = (new Parser())->parse($token);
         $this->assertArrayHasKey('foo', $jws->getHeaders(), 'The payload should contains a custom "foo" header.');
     }
 
@@ -93,4 +90,22 @@ public function testGetTokenFromInvalidCredentials()
         $this->assertSame('Invalid credentials.', $body['message']);
         $this->assertSame(401, $body['code']);
     }
+
+    private function getToken(Response $response)
+    {
+        if (204 === $response->getStatusCode()) {
+            $cookies = $response->headers->getCookies();
+            if (isset($cookies[0]) && 'token' === $cookies[0]->getName()) {
+                $this->assertSame(Cookie::SAMESITE_STRICT, $cookies[0]->getSameSite());
+                return $cookies[0]->getValue();
+            }
+
+            $this->fail('No token found in response.');
+        }
+
+        $body = json_decode($response->getContent(), true);
+        $this->assertArrayHasKey('token', $body, 'The response should have a "token" key containing a JWT Token.');
+
+        return $body['token'];
+    }
 }
diff --git a/Tests/Functional/TestCase.php b/Tests/Functional/TestCase.php
@@ -48,9 +48,15 @@ protected static function getAuthenticatedToken()
         $client = static::$client ?: static::$kernel->getContainer()->get('test.client');
 
         $client->request('POST', '/login_check', ['_username' => 'lexik', '_password' => 'dummy']);
-        $responseBody = json_decode($client->getResponse()->getContent(), true);
+        $response = $client->getResponse();
+        $responseBody = json_decode($response->getContent(), true);
 
         if (!isset($responseBody['token'])) {
+            $cookies = $response->headers->getCookies();
+            if (isset($cookies[0]) && 'token' === $cookies[0]->getName()) {
+                return $cookies[0]->getValue();
+            }
+
             throw new \LogicException('Unable to get a JWT Token through the "/login_check" route.');
         }
 

diff --git a/Tests/Functional/app/config/config_default.yml b/Tests/Functional/app/config/config_default.yml
@@ -5,3 +5,6 @@ lexik_jwt_authentication:
     secret_key: '%kernel.root_dir%/../config/jwt/private.pem'
     public_key: '%kernel.root_dir%/../config/jwt/public.pem'
     pass_phrase: testing
+    set_cookies:
+        token:
+            samesite: strict