Request payload with key overrides token in cookies #227
Description
Subject of the issue
Some of the JSON models that we POST to our API contain a property called token. Since this library initializes the parser chain order as AuthHeaders, QueryString, InputSource, RouteParams, Cookies in AbstractServiceProvider and LaravelServiceProvider, the token property in the JSON is being used as a JWT token instead of the value in the cookie.
Your environment:
| Q | A |
|---|---|
| Bug? | yes |
| New Feature? | no |
| Framework | Laravel |
| Framework version | 8.83.27 |
| Package version | 2.0 |
| PHP version | 8.2 |
Steps to reproduce
- do not provide an authorization header, instead rely on the token contents in cookies (and therefore the cookie token parser).
- POST a request with a payload containing a form data attribute
token:
Expected behaviour
Cookie tokens should be parsed before InputSource, or an option to do this should be provided. Some other packages (such as Laravel Nova where this request originated) cannot add headers to API requests and apparently must rely on cookies for authentication with JWT, so this is preventing the use of this package for Nova resources which have a column named token.
Actual behaviour
The incorrect token is being used and therefore the request is unauthorized.
Note you can use a workaround here by overriding Laravel's AuthServiceProvider boot method and including this:
$parser = $this->app['tymon.jwt.parser'];
$parser->setChain([
new PHPOpenSourceSaver\JWTAuth\Http\Parser\Cookies($this->app->make('config')->get('jwt.decrypt_cookies')),
...$parser->getChain()
]);