Download the PHP package gesdinet/jwt-refresh-token-bundle without Composer

On this page you can find all versions of the php package gesdinet/jwt-refresh-token-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?
gesdinet/jwt-refresh-token-bundle
Rate from 1 - 5
Rated 4.00 based on 1 reviews

Informations about the package jwt-refresh-token-bundle

*JWTRefreshTokenBundle

Scrutinizer Code Quality Run Tests Code Coverage Latest Stable Version Total Downloads License StyleCI

The purpose of this bundle is manage refresh tokens with JWT (Json Web Tokens) in an easy way. This bundles uses LexikJWTAuthenticationBundle. Supports Doctrine ORM/ODM.

Prerequisites

This bundle requires PHP 8.2 or later and Symfony 6.4, or 7.2+.

For support with older Symfony versions, please use the 1.x release.

Protip: Though the bundle doesn't force you to do so, it is highly recommended to use HTTPS.

Installation

Step 1: Download the Bundle

You must also install either the Doctrine ORM or MongoDB ODM, these packages are not installed automatically with this bundle. Failing to do so may trigger errors on installation.

With Doctrine's ORM

With Doctrine's MongoDB ODM

Alternatively, a custom persistence layer can be used.

For that purpose, you must:

Step 2: Enable the Bundle

Symfony Flex Application

For an application using Symfony Flex the bundle should be automatically registered, but if not you will need to add it to your config/bundles.php file.

Step 3: Configure the Bundle

Symfony Flex Application

For an application using Symfony Flex, a recipe should have been applied to your application. If not, you will need to make the following changes:

  1. Configure the refresh token class. Create the config/packages/gesdinet_jwt_refresh_token.yaml file with the below contents:

  2. Create the object class.

If you are using the Doctrine ORM, the below contents should be placed at src/Entity/RefreshToken.php:

If you are using the Doctrine MongoDB ODM, the below contents should be placed at src/Document/RefreshToken.php (remember to update the refresh_token_class configuration above to match):

Step 4

Define the refresh token route

Open your routing configuration file and add the following route to it:

Configure the authenticator

To enable the authenticator, you should add it to your API firewall(s) alongside the json_login and jwt authenticators.

The complete firewall configuration should look similar to the following:

Step 5: Update your database schema

You will need to add the table for the refresh tokens to your application's database.

With migrations:

Without migrations (NOT RECOMMENDED):

Usage

The below options can be configured through the bundle's configuration in the config/packages/gesdinet_jwt_refresh_token.yaml file (make sure to create it if it does not already exist).

Token TTL

You can define the refresh token TTL, this value is set in seconds and defaults to 1 month. You can change this value adding this line to your config:

Update Token TTL

You can configure the bundle to refresh the TTL on a refresh token when it is used, by default this feature is disabled. You can change this value adding this line to your config:

Refresh Token Parameter Name

You can define the parameter name for the refresh token when it is read from the request, the default value is refresh_token. You can change this value adding this line to your config:

Return Expiration Timestamp

If set to true, the expiration Unix timestamp will be added to the response.

The default parameter name is refresh_token_expiration. You can change the parameter name by adding this line to your config and changing it:

Set The User Provider

You can define a user provider to use for the authenticator its configuration.

Note, if your application has multiple user providers, you MUST configure this value for either the firewall or the provider.

By default, when a user provider is not specified, then the user provider for the firewall is used instead.

Set The User Checker

You can define a user checker to use for the firewall as part of the firewall configuration:

Single Use Tokens

You can configure the refresh token so it can only be consumed once. If set to true and the refresh token is consumed, a new refresh token will be provided.

To enable this behavior add this line to your config:

Set the refresh token in a cookie

By default, the refresh token is returned in the body of a JSON response. You can use the following configuration to set it in a HttpOnly cookie instead. The refresh token is automatically extracted from the cookie during refresh.

To allow users to logout when using cookies, you need to configure the LogoutEvent to trigger on a specific route, and call that route during logout.

Invalidate refresh token on logout

This bundle automatically registers an EventListener which triggers on LogoutEvents from a specific firewall (default: api).

The LogoutEventListener automatically invalidates the given refresh token and, if enabled, unsets the cookie. If no refresh token is supplied, an error is returned and the cookie remains untouched. If the supplied refresh token is (already) invalid, the cookie is unset.

All you have to do is make sure the LogoutEvent triggers on a specific route, and call that route during logout:

If you want to configure the LogoutEvent to trigger on a different firewall, the name of the firewall has to be configured:

Doctrine Manager Type

By default, the bundle will try to set the appropriate Doctrine object manager for your application using the following logic to define the manager type:

You can customize the manager type using the manager_type configuration:

Use another object manager

You can configure the bundle to use any object manager using the object_manager configuration. Note, an explicitly defined object_manager configuration will override any automatic configuration based on the manager_type.

Use another class for refresh tokens

You can define your own refresh token class for your project by creating a class extending from the classes provided by this bundle. This also allows you to customize the refresh token, i.e. to add extra data to the token.

When using the Doctrine ORM, create a class extending Gesdinet\JWTRefreshTokenBundle\Entity\RefreshToken in your application:

When using the Doctrine MongoDB ODM, create a class extending Gesdinet\JWTRefreshTokenBundle\Document\RefreshToken in your application:

Then declare this class adding this line to your config.yml file:

NOTE If using another object manager, it is recommended your object class extends from Gesdinet\JWTRefreshTokenBundle\Model\AbstractRefreshToken which implements all required methods from Gesdinet\JWTRefreshTokenBundle\Model\RefreshTokenInterface.

Generating Tokens

When you authenticate through /api/login_check with user/password credentials, LexikJWTAuthenticationBundle now returns a JWT Token and a Refresh Token data.

The refresh token is persisted as a RefreshTokenInterface object. When your JWT expires, you have two options:

*(*) Note that when a refresh token is consumed and the config option single_use is set to true the token will no longer be valid.*

This call returns a new valid JWT token renewing valid datetime of your refresh token.

Useful Commands

Revoke all invalid tokens

If you want to revoke all invalid refresh tokens, where the expiration time has passed, you can run this command:

The command optionally accepts a date argument which will delete all tokens older than the given time. This can be any value that can be parsed by the DateTime class.

You can also specify the batch size used by the command when clearing tokens with the --batch-size option, which defaults to the default_invalid_batch_size config option when not provided.

We recommend executing this command as a cronjob to remove invalid refresh tokens on an interval.

Revoke a token

If you want to revoke a single token you can use this command:

Events

Token Refreshed

When a token is refreshed, the gesdinet.refresh_token event is dispatched with a Gesdinet\JWTRefreshTokenBundle\Event\RefreshEvent object.

Refresh Token Failure

When there is a failure authenticating the refresh token, the gesdinet.refresh_token_failure event is dispatched with a Gesdinet\JWTRefreshTokenBundle\Event\RefreshAuthenticationFailureEvent object.

Refresh Token Not Found

When there is a failure authenticating the refresh token, the gesdinet.refresh_token_not_found event is dispatched with a Gesdinet\JWTRefreshTokenBundle\Event\RefreshTokenNotFoundEvent object.

Token Extractor

The bundle provides a Gesdinet\JWTRefreshTokenBundle\Request\Extractor\ExtractorInterface to define classes which can read the refresh token from the request.

By default, the Gesdinet\JWTRefreshTokenBundle\Request\Extractor\ChainExtractor is used which allows checking multiple aspects of the request for a token. The first token found will be used.

You can create a custom extractor by adding a class to your application implementing the interface. For example, to add an extractor checking for a "X-Refresh-Token" header:

This bundle handles automatically configuring ExtractorInterface objects and will automatically set the gesdinet_jwt_refresh_token.request_extractor container tag when your application uses autoconfiguration (autoconfigure: true in your services.yaml file). If autoconfiguration is not in use, you will need to manually configure the tag:

Prioritizing Extractors

The gesdinet_jwt_refresh_token.request_extractor container tag supports prioritizing extractors, you can use this to set the preferred order for your extractors by adding a priority attribute. The higher the number, the sooner the extractor will be run.

*

Logout Configuration for JWTRefreshTokenBundle

The gesdinet_jwt_refresh_token configuration in your Symfony application's config/packages/gesdinet_jwt_refresh_token.yaml file allows you to customize the logout behavior when using the JWTRefreshTokenBundle. Below is a comprehensive list of the available options for the logout section, which can be used to fine-tune the logout process, including session management, cookie handling, and CSRF protection.

Configuration Options

The logout configuration options can be defined under the gesdinet_jwt_refresh_token.logout key in your YAML configuration file. Below is an explanation of each option, its purpose, and its default value (if applicable).

clear_site_data

csrf_parameter

csrf_token_id

csrf_token_manager

delete_cookies

enable_csrf

invalidate_session

path

target

Example Configuration

Here’s an example of a complete logout configuration in config/packages/gesdinet_jwt_refresh_token.yaml:

Notes

For additional details on configuring the JWTRefreshTokenBundle, refer to the main documentation or other sections of this repository.


All versions of jwt-refresh-token-bundle with dependencies

PHP Build Version
Package Version
Requires php Version >=7.4
doctrine/persistence Version ^1.3.3|^2.0|^3.0|^4.0
lexik/jwt-authentication-bundle Version ^2.0|^3.0
symfony/config Version ^5.4|^6.0|^7.0
symfony/console Version ^5.4|^6.0|^7.0
symfony/dependency-injection Version ^5.4|^6.0|^7.0
symfony/deprecation-contracts Version ^2.1|^3.0
symfony/event-dispatcher Version ^5.4|^6.0|^7.0
symfony/http-foundation Version ^5.4|^6.0|^7.0
symfony/http-kernel Version ^5.4|^6.0|^7.0
symfony/polyfill-php80 Version ^1.15
symfony/property-access Version ^5.4|^6.0|^7.0
symfony/security-bundle Version ^5.4|^6.0|^7.0
symfony/security-core Version ^5.4|^6.0|^7.0
symfony/security-http Version ^5.4|^6.0|^7.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package gesdinet/jwt-refresh-token-bundle contains the following files

Loading the files please wait ....