liplum/flarum-jwt-auth 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

liplum/flarum-jwt-auth

Composer 安装命令:

composer require liplum/flarum-jwt-auth

包简介

Authentication based on JSON Web Token (JWT) token through HTTP request cookie.

README 文档

README

A Flarum extension to authenticate based on JSON Web Token (JWT) token through HTTP request cookie.

Get Started

Installation:

composer require liplum/flarum-jwt-auth

Update:

composer update liplum/flarum-jwt-auth

Forum Setup

Setup the JWT authentication by following the steps below in the extension settings page. You can find the corresponding backend implementation example in the next chapter.

1. Set the cookie name

Set the name of cookie from the user browser requests. For example, "access_token".

2. Set the JWT audience

It's optional.

The extension will check if the aud field in JWT payload is identical to the JWT audience provided by admin settings. If not, the JWT will be considered as invalid.

3. Set the JWT secret

The secret to sign(encode) and verify(decode) a JWT token.

The JWT payload should be something like this.

{
  "sub": "your_user_id"
}

For security issue, you should set the JWT secret in the config.php instead of barely display on extension settings page for anyone who has the extension management permission.

<?php return array (
  'debug' => false,
  // other configurations...
  "liplum-jwt-auth" => array(
    "jwtSecret" => "access_token_secret"
  ),
);

4. Set the JWT Signing Algorithm

It's optional.

It's "HS256" by default, by following the default option from the jsonwebtoken package.

5. Set the registration hook URL

The hook which will be called for new Flarum users.

The payload of the hook request is in JSON:API which Flarum uses, and the authentication can be checked via the Authorization header.

Here is something like the Flarum backend would request the hook:

fetch(registrationHookUrl, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer your_access_token'
  },
  body: JSON.stringify({
    "data": {
      "type": "users",
      "attributes": {
        "sub": "your_user_id"
      }
    }
  })
})

And the backend should handle the registration request and respond a the user attributes in JSON:API:

These attributes will be passed internally to POST Flarum "/api/users", so any attribute added by other extensions can also be provided.

{
  "data": {
    "type": "users",
    "attributes": {
      "username": "example",
      "email": "example@example.com"
    }
  }
}

By default, all accounts will be automatically enabled. You can change this behavior by returning "isEmailConfirmed": false attributes in the registration hook.

6. Set the Authorization Header

It's optional.

If the field is left empty, the Authorization header will be "Token {jwt}".

Otherwise, the field will be directly sent as Authorization header without any modification.

Here is something like the evaluation process:

const jwt = cookie.get("CookieName")
if (settings.of("AuthorizationHeader").isNotEmpty) {
  return settings.of("AuthorizationHeader")
} else {
  return `Token ${jwt}` // string interpolation
}

For security issue, you should set the Authorization header in the config.php instead of barely display on extension settings page for anyone who has the extension management permission.

<?php return array (
  'debug' => false,
  // other configurations...
  "liplum-jwt-auth" => array(
    "authorizationHeader" => "Bearer your_access_token"
  ),
);

Backend Setup

Taking the express.js backend server as an example, you can set up the following routes.

// Run "npm install express jsonwebtoken" to install essential packages
import express from "express"
import jwt from "jsonwebtoken"

const app = express()
app.use(express.json())

const cookieName = process.env.COOKIE_NAME ?? "access_token"
const jwtSecret = process.env.JWT_SECRET ?? "access_token_secret"

app.post("/set-cookie", (req, res) => {
  const token = jwt.sign({
    // Edit this: it should be the user ID generally.
    sub: "jwt_subject",
  }, jwtSecret)
  return res.status(200).cookie(cookieName, token).end()
})

// Remove the interface declaration and "satisfies" expression bellow,
// if the plain javascript is used instead of typescript.
interface VerifyResult {
  data: {
    type: "users",
    attributes: {
      username: string
      email: string
      /**
       * Control whether the email of user is considered as verified.
       * "true" by default 
       */
      isEmailConfirmed?: boolean
    }
  }
}

app.post("/register", (req, res) => {
  const authHeader = req.headers["authorization"]
  // for custom Authorization header or `Token ${jwt}`
  if (!authHeader
    || authHeader !== "Bearer your_access_token"
    && !authHeader.startsWith("Token ")
  ) {
    return res.status(401).end()
  }
  const sub = req.body.attributes.sub
  // Complete this: check the sub (generally the user ID) in the database.
  return res.status(200).json({
    data: {
      type: "users",
      attributes: {
        // Edit this: Keep it following flarum's username rule.
        username: `name_of_${sub}`,
        // Edit this: Keep it following flarum's email rule.
        email: `email_of_${sub}@example.com`,
      }
    }
  } satisfies VerifyResult).end()
})

const port = 80
app.listen(port, () => {
  console.log(`Your backend is running on http://localhost:${port}`)
})

Hidden Iframe

The hidden iframe offers a way to refresh the cookie in the background and optionally to provide auto login.

If the hidden iframe setting is set, the given URL will be loaded in a 0x0 iframe placed outside the browser viewport.

The iframe can use window.postMessage to inform Flarum of a change in the session state. The message can be sent at any time and any number of times. You can use a loop repeatedly sending the current state if necessary.

Flarum will check for a change in the reported state and prompt the user to refresh the page if it changes.

If {jwtSessionState: 'login'} is sent while Flarum is logged out, Flarum will say the user has been automatically logged in and may refresh the page.

If {jwtSessionState: 'logout'} is sent while Flarum is logged in, Flarum will say the session has expired and the user may refresh the page.

If the time elapsed between Flarum boot and the postMessage is smaller than the configured "Auto Login Delay", the page will refresh without user interaction.

Switching user without going through logout state is current not supported.

Code example for the iframe:

window.parent.postMessage({
  jwtSessionState: 'login',
}, 'https://forum.example.com');

The last parameter should be set to the Flarum origin. '*' can also be used but isn't recommended.

Additional Reading

An admin user is used internally to call the REST API that creates new Flarum users. By default, user with ID 1 will be used but this can be customized in the admin settings. The value must be the Flarum ID (MySQL auto-increment) and not the JWT subject ID.

Users can be edited via their JWT subject ID by using the PATCH /api/jwt/users/<sub> endpoint. It works exactly the same way as PATCH /api/users/<id> but takes the JWT subject ID instead of Flarum ID.

Under the hood

Users are matched through the jwt_subject column in the database that is matched to the token's sub value.

The original Flarum session object (Symfony session) and cookie are not used for stateless authentication, however the cookie session is kept because Flarum and some extensions cannot work without it.

This session object is not invalidated during "login" and "logout" of the stateless JWT authentication, so there could be issues with extensions that rely on that object for other purposes than validation messages.

Acknowledgement

Thanks to https://github.com/clarkwinkelmann/flarum-ext-jwt-cookie-login with MIT License Copyright (c) 2022 Clark Winkelmann.

liplum/flarum-jwt-auth 适用场景与选型建议

liplum/flarum-jwt-auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 164 次下载、GitHub Stars 达 2, 最近一次更新时间为 2024 年 12 月 04 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「jwt」 「flarum」 「flarum-extension」 「flarum-ext」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 liplum/flarum-jwt-auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 liplum/flarum-jwt-auth 我们能提供哪些服务?
定制开发 / 二次开发

基于 liplum/flarum-jwt-auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 164
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 2
  • 点击次数: 13
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 2
  • Watchers: 1
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2024-12-04