Mika Tuupola

A HTTP connection does not become secure by setting `X-Forwarded-Proto` header. It is still an unencrypted connection. If you are using proxy or load balancer you can set the `secure`...

I think if you leave out the [exp](https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1.4) claim token will never expire.

This is not currently possible. It is however a good idea and I should implement it in the near future.

This bug report is about custom error messages. Container you can already pass with something like: ```php $app->add(new \Slim\Middleware\HttpBasicAuthentication([ "path" => "/admin", "realm" => "Protected", "authenticator" => new CustomAuthenticator($container) ]));...

It is still in TODO list but plan is to implement this feature since it is quite useful.

Since Cloudflare is anyway accessing the API insecurely over http you could also just set. ``` $app->add(new Tuupola\Middleware\HttpBasicAuthentication([ "secure" => false ])); ``` There is practically no difference between this...

Since JWT token is basically a password and should be treated as such, it is not the best idea to pass it in query string. This middleware currently supports only...

@mateuslopes I just tested and with the following middleware you can pass token in the query string. It looks for GET parameter named `token`. If it exists it adds an...

AFAIK header which looks like below is invalid syntax. ``` Authorization: Basic , Bearer ```

You could regenerate the token with every request and send it back to the client with response headers.