jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard
verified publisher icon tymondesigns

Token has been blacklisted

Open mr-Sepi0l opened this issue 5 years ago • 3 comments

Subject of the issue

I was able to authenticate my user with th jwt and it work fine but as soon as i use the 'jwt.refresh' middleware, my next request answer is always Token has been blacklisted. I guess the old token must be invalidated as soon as my request is done but actually i can't even perform my request.

Your environment

Q A
Bug? yes
New Feature? no
Framework Laravel
Framework version 7.0
Package version 1.0
PHP version 7.4

Steps to reproduce

I'm using postman to test it. I followed every step of implementation in the doc and everything was working fine until i tried to refresh the token. I just log in with such a function:

 $credentials = request(['email', 'password']);

        if (!$token = auth()->attempt($credentials)) {
            return response()->json(['error' => 'Vos identifiants sont invalides'], 401);
        }

        return $this->respondWithToken($token);

I got the generated token in the answer which works fine in the next request as long as i don't use the 'jwt.refresh' => 'Tymon\JWTAuth\Middleware\RefreshToken' on my route. After my login, i set up the Authorization header for the next call (which use the middleware) and my token got blacklisted each time.

here is my route file:

Route::group(['middleware' => ['jwt.refresh', 'jwt.auth', 'api']], function() {
    Route::resource('users', UsersController::class);
});

Edit: After a bit of search, in Manager.php the method refresh which is call in the middleware invalidate the current token which can maybe fixed by calling my authenticate middleware before the refresh one

mr-Sepi0l avatar Jun 29 '20 16:06 mr-Sepi0l

The same here in my project. It happens sometimes. not always or even usually.

My project makes a jwt refresh request while loading and before making any other requests. That sometimes gives Token is blacklisted message and usually works fine! TTL is set to 1Day and it happens several times in a day. using https://github.com/websanova/vue-auth for my Laravel/Vue project.

Dissociable avatar Aug 29 '20 14:08 Dissociable

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Dec 25 '20 15:12 stale[bot]

I'm having this issue as well, I'm thinking to remove the blacklist configuration, but this is can result in a lot of security issues.

And the maintainers of library it's seems not giving to much time for the opened PR's.

Messhias avatar Jun 21 '21 11:06 Messhias