LexikJWTAuthenticationBundle icon indicating copy to clipboard operation
LexikJWTAuthenticationBundle copied to clipboard
verified publisher icon lexik

Feature for Mercure dedicated cookie?

Open JeremyPasco opened this issue 4 years ago • 2 comments

Hi, I am using the split cookie approach with succes on API Platform and now I'd like to add Mercure to my project. For private notifications, Mercure requires a JWS cookie named mercureAuthorization which contains topics the user is allowed to subscribe. This cookie has to be Secure, HttpOnly and Same-site. Without the split cookie approach I could just add the topics into the authentification cookie and Voilà. But I'd like to keep the split cookies approach and generate a third one dedicated to Mercure. Is it doable through simple configuration of this bundle? If not, would a PR be within the scope of this bundle?

Without split cookie:

  • only 1 cookie for all
  • Secure, HttpOnly and Same-site
  • contains JWT for symfony auth + Mercure topics

With split cookies:

  • 1 cookie with header+paylod for Symfony auth : Same-site
  • 1 cookie with signature for Symfony auth : Same-site + Http-only
  • 1 cookie for Mercure (header+custom payload+signature): Same-site + Http-only

JeremyPasco avatar Feb 04 '22 16:02 JeremyPasco

I just found that the split cookies configuration allows the creatation of a third one with the whole cookie (header+paylod+signature). So the following is an overkilling solution but works:

  1. Put mercure payload in the authentication cookie (topics the user can subscribe)
  2. Set the config accordingly:
lexik_jwt_authentication
   token_extractors:
        split_cookie:
            enabled: true
            cookies:
                - jwt_hp
                - jwt_s
    set_cookies:
        jwt_hp:
            lifetime: 1800
            samesite: strict
            path: /
            domain: null
            httpOnly: false
            split:
                - header
                - payload

        jwt_s:
            lifetime: 0
            samesite: strict
            path: /
            domain: null
            httpOnly: true
            split:
                - signature

        mercureAuthorization:
            lifetime: 1800
            samesite: strict
            path: /
            domain: null
            httpOnly: true
            split:
                - header
                - payload
                - signature
  1. Share the public key generated by Lexik with Mercure and set set the algorithm accordingly

Main drawback: both JWT becomes heavier. It's ok for Mercure connexion (the client only send it when subscribing and keep connexion open), but the JWT used for auth is sent at each request (and it doesn't need the eventually huge Mercure payload).

JeremyPasco avatar Feb 05 '22 12:02 JeremyPasco

Thanks for the issue and feedback. Please keep this open, I need to have a look asap :)

chalasr avatar Mar 09 '22 16:03 chalasr