Make expiration time configurable

Its works on:

Drupal: 9.5.2
PHP: 8.1.11

I think this patch caused this error when using the 2.0.x release and Drupal Next.js (with all of their dependencies, see below).

[22-Jun-2023 16:47:54 UTC] TypeError: Drupal\jwt\Transcoder\JwtTranscoder::__construct(): Argument #2 ($key) must be of type ?Drupal\key\KeyInterface, Drupal\Core\Config\ConfigFactory given, called in /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php on line 259 in /home/{USER}/public_html/{SUBDIR}/modules/contrib/jwt/src/Transcoder/JwtTranscoder.php on line 98 #0 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(259): Drupal\jwt\Transcoder\JwtTranscoder->__construct(Object(Firebase\JWT\JWT), Object(Drupal\Core\Config\ConfigFactory), Object(Drupal\key\KeyRepository))
#1 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(177): Drupal\Component\DependencyInjection\Container->createService(Array, 'jwt.transcoder')
#2 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(434): Drupal\Component\DependencyInjection\Container->get('jwt.transcoder', 1)
#3 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(237): Drupal\Component\DependencyInjection\Container->resolveServicesAndParameters(Array)
#4 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(177): Drupal\Component\DependencyInjection\Container->createService(Array, 'jwt.authenticat...')
#5 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(434): Drupal\Component\DependencyInjection\Container->get('jwt.authenticat...', 1)
#6 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(273): Drupal\Component\DependencyInjection\Container->resolveServicesAndParameters(Array)
#7 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(177): Drupal\Component\DependencyInjection\Container->createService(Array, 'authentication_...')
#8 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(434): Drupal\Component\DependencyInjection\Container->get('authentication_...', 1)
#9 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(237): Drupal\Component\DependencyInjection\Container->resolveServicesAndParameters(Array)
#10 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(177): Drupal\Component\DependencyInjection\Container->createService(Array, 'authentication')
#11 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(434): Drupal\Component\DependencyInjection\Container->get('authentication', 1)
#12 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(237): Drupal\Component\DependencyInjection\Container->resolveServicesAndParameters(Array)
#13 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/DependencyInjection/Container.php(177): Drupal\Component\DependencyInjection\Container->createService(Array, 'authentication_...')
#14 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Component/EventDispatcher/ContainerAwareEventDispatcher.php(136): Drupal\Component\DependencyInjection\Container->get('authentication_...')
#15 /home/{USER}/public_html/{SUBDIR}/vendor/symfony/http-kernel/HttpKernel.php(145): Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch(Object(Symfony\Component\HttpKernel\Event\RequestEvent), 'kernel.request')
#16 /home/{USER}/public_html/{SUBDIR}/vendor/symfony/http-kernel/HttpKernel.php(81): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#17 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Core/StackMiddleware/Session.php(58): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#18 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(48): Drupal\Core\StackMiddleware\Session->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#19 /home/{USER}/public_html/{SUBDIR}/core/modules/page_cache/src/StackMiddleware/PageCache.php(191): Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#20 /home/{USER}/public_html/{SUBDIR}/core/modules/page_cache/src/StackMiddleware/PageCache.php(128): Drupal\page_cache\StackMiddleware\PageCache->fetch(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#21 /home/{USER}/public_html/{SUBDIR}/core/modules/page_cache/src/StackMiddleware/PageCache.php(82): Drupal\page_cache\StackMiddleware\PageCache->lookup(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#22 /home/{USER}/public_html/{SUBDIR}/vendor/asm89/stack-cors/src/Asm89/Stack/Cors.php(49): Drupal\page_cache\StackMiddleware\PageCache->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#23 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(48): Asm89\Stack\Cors->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#24 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(51): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#25 /home/{USER}/public_html/{SUBDIR}/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#26 /home/{USER}/public_html/{SUBDIR}/core/lib/Drupal/Core/DrupalKernel.php(718): Stack\StackedHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#27 /home/{USER}/public_html/{SUBDIR}/index.php(19): Drupal\Core\DrupalKernel->handle(Object(Symfony\Component\HttpFoundation\Request))
#28 {main}

Google Food: (NextJS's dependencies)

  - galbar/jsonpath (1.3.1)
  - drupal/subrequests (3.0.7)
  - lcobucci/jwt (3.2.5)
  - defuse/php-encryption (v2.4.0)
  - drupal/consumers (1.17.0)
  - drupal/decoupled_router (2.0.4)
  - drupal/next (1.6.3)

You just need to add below code in your module file and it will extend expiration time

function your_module_name_jwt_auth_tokens_alter(array &$tokens, RouteMatchInterface $route_match, ContainerInterface $container) {
// Update the expiration time for the 'jwt' token.
if (isset($tokens['jwt'])) {
$tokens['jwt']->setExpiration(24 * 360000000000); // Set the expiration time to one hour from now.
}
}

I would find the feature very valuable.

From my use case, in which user uses basic authentication to retrieve a json web token, invalidating the Web token when the user changes their password would make a lot of sense.

Works well for me. Any reason not to commit?

Yes, I don't see why you'd get that kind of error based on the patch.

I want to take one more look. Also, needs to target the 2.x branch

Seems like we can close this now as this is part of the latest release.

Ah no it needs a reroll!

MR works for us, here is it as a patch if needed:
https://git.drupalcode.org/project/jwt/-/merge_requests/12.patch

Renamed the branch because having the work take place in a branch called 2.x is confusing. Will hide old branch.

Also fixed test and ensure that exp comes after iat - both now use the current time.

alexpott → changed the visibility of the branch 2.x to hidden.

Hiding the old files from the issue summary so we can all concentrate on the MR.

not sure why it shows some commits against MR 12 as well as 15

Moved to target 3.x

@pwolanin @alexpott did I break something?

@glynster let's not use the https://git.drupalcode.org/issue/jwt-2782571/-/tree/2.x branch and MR https://git.drupalcode.org/project/jwt/-/merge_requests/12 because calling the new feature branch 2.x is very confusing and hard to work with. Can you close https://git.drupalcode.org/project/jwt/-/merge_requests/12 - I don't have permissions to do that.

Let's work on https://git.drupalcode.org/project/jwt/-/merge_requests/15.

@glynster also if you do end up making some changes to MR 15 - I don't think we should support expiration - 0 i.e. tokens that do not expire - it's just not secure. Also I think the max should be higher than 3600 - but not sure what we should allow via the form. What do you think @pwolanin?

glynster → closed merge request !12

I have gone ahead and closed the org MR. Happy to help as needed but also do not want to get in the way. Obviously the objective is to be able to set an expiry length!

In the users_jwt module I disallow an expiry more than 24 hours in the future, so I think that would be a reasonable max here also (at least for the form).

Is there anything else you need from me for this?

Yasser Samman → made their first commit to this issue’s fork.

I think this is an important feature to have. Is there anything remaining for this to be merged ?