Invalidation and Blacklisting of JWT Tokens in PHP Open-Source Saver with jwt-auth

Is it advisable to utilize the signature segment of a JWT token for barring invalidated tokens? Hopefully, this information benefits someone. I am currently engaged in implementing JWT Token authentication in Symfony.


Question:

On an Apache2 server, I established a Laravel 8.* project in PHP8.0 environment. Afterward, I integrated the latest

PHP-Open-Source-Saver / jwt-auth

repository and incorporated Middleware for validating the
jwt tokens
. Additionally, I added a JwtController that generates a
jwt token
upon login and refreshes it as needed.

Api requests
are authenticated with:

$user = JWTAuth::parseToken()->authenticate();

All aspects mentioned on the packaging were functioning properly, except for the

invalidation

and

blacklisting

of
JWT Token
s.

The keys for blacklisting in my jwt configuration are defined in the environment.

JWT_BLACKLIST_ENABLED=true
JWT_BLACKLIST_GRACE_PERIOD=0

I attempted all of the methods listed below, giving each a try at least twice, following the provided instructions.

public function jwt_logout(Request $request)
{
    //get bearer token
    $token = $request->bearerToken();
    if (! isset($token) ) {
        return response()->json([
                'success' => false,
                'message' => 'Token is not set, please retry action or login.'
            ]);
    }
    //Invalidate and blacklist methods
    try {
        //JWTAuth::invalidate(JWTAuth::getToken());
        //JWTAuth::invalidate($request->bearerToken());
        //auth("api")->invalidate(true);
        //JWTAuth::invalidate($request->token);
        //JWTAuth::parseToken()->invalidate();
        //IlluminateSupportFacadesAuth::setToken($token)->invalidate(true);
        
        JWTAuth::setToken($token)->invalidate(true);
        //auth("api")->logout(true);
        //JWTAuth::invalidate(true);
        //JWTAuth::manager()->invalidate(new PHPOpenSourceSaverJWTAuthToken($token), $forceForever = true);
        return response()->json([
            'success' => true,
            'message' => 'User has been logged out'
        ]);
    } catch (JWTException $exception) {
        return response()->json([
            'success' => false,
            'message' => 'Sorry, user cannot be logged out'
        ], Response::HTTP_INTERNAL_SERVER_ERROR);
    }
}

Despite blacklisting a jwt token using the aforementioned method, any attempts to use it for authentication are successful without triggering a JWTBlacklistedException or any errors. The only scenario where authentication fails is when a
jwt token expires
is encountered.

Could anyone provide guidance on the process of both encoding and decoding a JWT token, specifically regarding

invalidate

and

blacklist

?


Solution:

After conducting some research, I have discovered that the package has been configured to conceal any blacklist exceptions by default.

By setting

JWT_SHOW_BLACKLIST_EXCEPTION=1

in my .env file, I was able to resolve the issue. Neglecting to review the package forum issues was my mistake.

Frequently Asked Questions

Posted in Php