You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This breaks using an incremental 'id' value as the server-side primary key, cross-referenced as the foreign key on other tables, but also using a public facing UUID value in the JWT.
Your environment
Q
A
Bug?
yes
New Feature?
no
Framework
Laravel
Framework version
5.8.11
Package version
1.0.0-rc.4.1
PHP version
7.2.10
Steps to reproduce
Create a model with both id and uuid attributes. Keep protected $primaryKey = 'id';
Add three methods to the User model:
/**
* Get the identifier that will be stored in the subject claim of the JWT.
*
* @return mixed
*/
public function getJWTIdentifier()
{
return $this->uuid;
}
/**
* The key name to use as the JWT's subject
*
* @return string
*/
public function getAuthIdentifierName()
{
return 'uuid';
}
/**
* Return a key value array, containing any custom claims to be added to the JWT.
*
* @return array
*/
public function getJWTCustomClaims()
{
return [
];
}
Issue a valid JWT token for the user, and execute the following closure
Route::get('/test', function () {
\JWTAuth::parseToken()->authenticate();
dd(auth()->id());
});
Behaviour
I'd expect auth()->id() to be 1 (the primaryKey of User); instead I get the UUID of the user back.
This may be a bug in Wildside\Userstamps instead, if it's decided that auth()->id() is working as intended here.
I have temporarily resolved this in my code by overriding each model's registerListeners() method, and using my own Listener methods to return auth() ->user() -> id instead.
I still think this is a bug in jwt-auth though, I can see other libraries using the same call, presuming it to be the model's primaryKey. However, I am happy to raise a bug report there instead, once I have a definite answer this is intended behaviour.
Subject of the issue
When using the JWTAuth guard
auth()->id()
(which is used by various packages, such as wildside\userstamps when setting the created_by field in https://github.com/WildSideUK/Laravel-Userstamps/blob/master/src/Listeners/Creating.php) return the value set in the 'sub' attribute of the JWT rather than model's primaryKey.This breaks using an incremental 'id' value as the server-side primary key, cross-referenced as the foreign key on other tables, but also using a public facing UUID value in the JWT.
Your environment
Steps to reproduce
Create a model with both
id
anduuid
attributes. Keepprotected $primaryKey = 'id';
Add three methods to the User model:
Issue a valid JWT token for the user, and execute the following closure
Behaviour
I'd expect
auth()->id()
to be 1 (the primaryKey of User); instead I get the UUID of the user back.dd(auth()->id());
"00000000-0000-0000-0000-000000000000"
dd(Auth::id());
"00000000-0000-0000-0000-000000000000"
dd(Auth::user()->id);
1
dd(Auth::user()->getKey());
1
The text was updated successfully, but these errors were encountered: