firesphere

There's a difference between protecting the user and creating a possible point of entry for malicious intent 😉

harvs1789uk

Users are a danger to security, but sadly we still have to work with those 😄

nils

Multiple authenticator tokens per user 🙏

firesphere

Looks great, pretty much what I wanted to do myself after I made this PoC implementation and lost (track of) time to fix it all up 🤗

tractorcow

https://github.com/Firesphere/silverstripe-graphql-jwt/pull/24

Show 1 attachment(s)
tractorcow

https://github.com/Firesphere|@Firesphere would love to discuss this with you before merging; See you on slack maybe?

Overview of changes in general order of most significant to least

• Return type of all validate / create mutations has been consolidated and normalised. The standard response is now a MemberToken type with these fields: • Member (the member) • Token (string token) • Valid (bool valid flag) • Status (enum status code of the token) • Code (int HTTP code that matches the status) • Message (string message of humanised status code) • Multiple authenticator tokens per user; Allows multiple devices to have their own tokens. • Anonymous authentication is now shifted up into a custom Authenticator class; Support injectable authenticators into createToken mutation. Removed anonymous_allowed • When logging in anonymously, create a real member object to better integrate with silverstripe security logging / auditing practices. • Bump minimum dependency to php 7.1: strict_types are everywhere too. • Updated tests and documentation of course • Support multiple schemas (graphql 3.0 and above). • Relative path supported for JWT tokens • Updated renewal process to support separate token / refresh expiration dates • I gave every file my Love. Green ticks everywhere.

https://github.com/Firesphere|@Firesphere if you merge, I suggest branching master -> 1 first, as this is a new 2.x major change.

Hide attachment content
tractorcow

I've done some work on @firesphere’s JWT module. We had a bunch of changes we'd made internally, but I've finally made the time to open source them. 😛

nightjarnz

I think SS's implementation was created before the PSR became "non-draft" so isn't quite conforming, iirc. But it's the same idea.