Manage user session with jwt

Working on this...

Can you include the hashed session ID as part of the JWT payload? That can't be used alone to hijack a session, but I worry it's kind of an internal detail that isn't really exposed as part of the session API

Also - digging into this before, it's seemed hard to bootstrap the session code if there is not an expected cookie.

@pwolanin has some fantastic feedback on JWT security resulting the XOR operation to encrypt the sid in each JWT with a random pad.

This still needs to stay as a 10.2 only project in order to benefit from the lazy service injection into the middleware.

Closed 🐛 Log out of user seems not to work. Closed: duplicate as duplicate of this issue and added it to the related issues. @ro-no-lo create that issue and @pwolanin had some discussion on it.

I tested the patch recently on a local development site I am using as an API backend for front-end development training, and it works as intended when I call the logout request via an Angular app.

I copy and pasted the code from the !13 into my project.

I tested with Postman if I can logout without sending the session cookie all along and it still does not work for me. To be honest I have no idea how I could help, because I only use JWT and was not going to fully understand the encoding of it and sorts. All I see is, that when I try to logout via Postman the Drupal side will fail.

I debuged it to see what will happen. The decoding of the JWT will happen as expected and I see that a uid (payload/drupal/uid) is present. payload/iat and payload/exp are also present. $pad_id = $jwt->getClaim(['drupal', 'pad_id']); returns null and after that everything further down the line will return null or similar. So no session_id is obtained.

Do I need to enable something to make it work?

@ro-no-lo did you enable the new module - jwt_sessions?

Heyyy, in general module works fine, but i have a trouble after logout.
After logout i still can update entities with old jwt token (So i suppose that this token not was destroyed)

I suppose that is an issue similar to ro-no-lo.

Some person he was solved that issue or not yet ?

@quak this situation is tested for by the added tests. Made another jwt module is getting the way. Can you list all the modules with jwt_* installed on your site? Thanks!

T gave the jwt_sessions module another try, but I was wondering why it never worked in my case. I noticed that the EventSubscriber which shall create the "pad_id", never gets called. Thus the auto wiring from the jwt_session.yml seem not to work properly. I tried to rewrite the ...services.yml, but I have no idea what I can do about these bunch of closures in the constructor. Thus I gave up again.

I have trouble understand the logic here. Maybe it's some kind of priority thing, but nothing seem to work as exprected.

My goal is to use JWT for auth (which works, except for the logout) and for downloading protected files. There is a jwt_path_auth module, which I have enabled, but just adding the jwt as query param never results in a success. When I step through the code with a debugger, the JwtSession comes first and will fail to find an Authentication or JWT-Authentication header, because it is just a like (maybe from an E-Mail). After that, the JWTPathAuto will fail to get the Claims (both) and everything after that fails also.

The Session set Claim is correctly executed, when the login happens, but it seem not to matter later in the process.

@ro-no-lo sounds like you have more of a support request - maybe try Slack?

We are using the JWT path auth in production for accessing private files, so I assure you that it can work.