Events to validate JWT never called !

Created on 14 November 2023, 7 months ago
Updated 10 April 2024, 2 months ago

Problem/Motivation

It seems like there is a big problem.

I create a JWT following all the instructions and so far so good, but once I call the node/{id}?_format=json with the jwt_auth option activated, no matter what I pass to the Bearer or JWT Bearer, it's never checked !

This happens on a fresh install with D 10.1.6 and JWT 2.0.1 (happens also on a D 9).

Unless there is something I miss, something is wrong. I debug using xdebug but never go into the JwtAuthConsumerSubscriber.
Weirdly, the JwtAuthEvents does not extend JwtAuthBaseEvent or Event.

Steps to reproduce

Enable Rest / JWT / JWT Issuer / JWT Consumer
Create secret key
Enable /node/{node}: GET Rest Ressource
log in
Get JWT via /jwt/token
Via POSTMAN: GET /node/1?_format=json with HEADER 'Authorization: Bearer foo'
get access to the API response despite the wrong token.

đź’¬ Support request
Status

Fixed

Version

2.0

Component

Code

Created by

🇫🇷France pbonnefoi

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.69.0 2024