Skip to content

Allow to set a default expiration value on the generated token #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 17 commits into from
Apr 3, 2021
Merged

Allow to set a default expiration value on the generated token #52

merged 17 commits into from
Apr 3, 2021

Conversation

@dunglas
Copy link
Member

@dunglas dunglas commented Apr 2, 2021

Generating JWT without expiration is a bad security practice. This PR adds the ability to set a default lifetime for generated tokens using the new Authorization util.

azjezz
azjezz reviewed Apr 2, 2021
View reviewed changes
mtarld
mtarld approved these changes Apr 2, 2021
View reviewed changes
@dunglas dunglas force-pushed the feat/exp branch 3 times, most recently from e6dfd98 to a83cfa8 Compare April 2, 2021 10:30
@chalasr
Copy link
Member

chalasr commented Apr 2, 2021

👍 For the record, I think this is the only standard claim that should be set with a good default by this library.
I mean, after the recent work done on the authorization part, people will eventually start asking for iss and other claims to be set automatically, then ask for a configurable clock skew, ... endless story.
The answer should remain the same as before to me: decorate the existing token provider/factory on your own, the system is flexible and pluggable enough.

@dunglas dunglas mentioned this pull request Apr 2, 2021
Merged
@dunglas
Copy link
Member Author

dunglas commented Apr 2, 2021

I changed how the exp claim is generated, and added a way to control the cookie expiration time accordingly:

the lifetime of the cookie, the "exp" claim of the JWT will be set accordingly, set to null to use the default value and to 0 to set a session cookie (the default expiration time of the JWT will be 1 hour)

nicolas-grekas
nicolas-grekas reviewed Apr 2, 2021
View reviewed changes
@dunglas dunglas merged commit 49693bf into symfony:main Apr 3, 2021
@dunglas dunglas deleted the feat/exp branch April 3, 2021 09:03
azjezz pushed a commit to azjezz/mercure that referenced this pull request Jun 23, 2021
@dunglas @azjezz
Allow to set a default expiration value on the generated token (symfo…
bebcda0 
…ny#52)

* Allow to set a default expiration value on the generated token

* move the logic to the token factory

* cs

* Set cookie expiration

* more advanced logic

* cs

* fix tests

* fix tests

* fix gha

* try to fix gha

* changelog

* typo

* nico's review

* fix tests

* fix fallback

* simplify: we can modify the cookie expiration time after

* fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@chalasr chalasr chalasr approved these changes

+2 more reviewers

@mtarld mtarld mtarld approved these changes

@azjezz azjezz azjezz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dunglas @chalasr @nicolas-grekas @mtarld @azjezz