Skip to content

Invalidate split_cookies client-side #930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
carlobeltrame opened this issue Oct 2, 2021 · 0 comments · Fixed by #931
Closed

Invalidate split_cookies client-side #930

carlobeltrame opened this issue Oct 2, 2021 · 0 comments · Fixed by #931

Comments

@carlobeltrame
Copy link
Contributor

Like in #809, we use the split_cookie extractor to store the JWT token in two separate cookies, one of which is available in the JS frontend and one of which is not.
Also I read in #847 (comment) that on logout, JWT tokens should just be deleted client-side.

Now our frontend JS code can only delete the jwt_hp cookie, but not the jwt_s cookie, because that one is marked httponly. I see a few options how we could solve this:

  • Ideally, the split_cookie extractor should be changed to require all the cookie parts. Currently it happily continues when some of the cookie parts are missing, but then joins all cookie values (whether present or not) with periods. This doesn't really make sense in any conceivable case: e.g. jwt_hp=eyABCD.ey12341234 and a missing jwt_s cookie will result in the token eyABCD.ey12341234., which can never be a valid JWT token because of the period in the end. For this reason, this wouldn't be a breaking change either, because no developers could have successfully used partial split cookies so far.
    I'd be happy to prepare a pull request to fix this if you're open to this change.
  • Otherwise, I could listen to the JWT_INVALID event and delete all of my split cookies (by overwriting them with an expired expiry date).
  • Or I could listen to some early Symfony event and delete all of my split cookies if not all of them are present.

I have found no easy way to extend / override the existing SplitCookieExtractor, otherwise that would be an option as well.
@carlobeltrame carlobeltrame mentioned this issue Oct 2, 2021
Merged
BacLuc added a commit to BacLuc/ecamp3 that referenced this issue Oct 2, 2021
@BacLuc
api: handle incomplete JWT Tokens as if there were none
527deda 
SplitCookieExtractor does not check, if both JWT_HP and JWT_S cookies are present. The following logic fails if not.
lexik/LexikJWTAuthenticationBundle#930

Issue: ecamp#1999
@BacLuc BacLuc mentioned this issue Oct 2, 2021
Merged
BacLuc added a commit to BacLuc/ecamp3 that referenced this issue Oct 2, 2021
@BacLuc
api: handle incomplete JWT Tokens as if there were none
471a1d5 
SplitCookieExtractor does not check, if both JWT_HP and JWT_S cookies are present. The following logic fails if not.
lexik/LexikJWTAuthenticationBundle#930

Issue: ecamp#1999
BacLuc added a commit to BacLuc/ecamp3 that referenced this issue Oct 3, 2021
@BacLuc
api: handle incomplete JWT Tokens as if there were none
f6e4cab 
The provided SplitCookieExtractor does not check, if all needed cookies are set.
Thus we replace it.
lexik/LexikJWTAuthenticationBundle#930

Issue: ecamp#1999
@carlobeltrame carlobeltrame mentioned this issue Oct 4, 2021
Merged
carlobeltrame pushed a commit to BacLuc/ecamp3 that referenced this issue Oct 4, 2021
@BacLuc @carlobeltrame
api: handle incomplete JWT Tokens as if there were none
0180456 
The provided SplitCookieExtractor does not check, if all needed cookies are set.
Thus we replace it.
lexik/LexikJWTAuthenticationBundle#930

Issue: ecamp#1999
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@carlobeltrame