Validate Token should be a POST action

Question

Validate Token should be a POST action

Borreguin opened this issue 2 years ago · 2 comments

Is your feature request related to a problem?

Send the token in the URL as params is not a good practice. I suggest the token to validate should go in the body or in the header but not in the URL, this is for security reasons : https://gaurav5430.medium.com/web-security-access-token-in-url-79366a2bcb49

Additional, when one use AXIOS (for example in a React application) to login using JWT, by default the GET action does not allow to send JWT as JSON body, so it is hard to hide the token.

Describe the solution you'd like

Would be nice if instead of using the GET action, we can validate the Token using POST and put the Token either in the body or the header. For now, I saw the code and this is accomplished by changing:
File: /simple-jwt-login/src/Services/RouteService.php line: 60, for this:

        [
            'name' => self::AUTHENTICATION_VALIDATE_ROUTE,
            'method' => self::METHOD_POST,
            'service' => ValidateTokenService::class,
        ],

Additional context (optional)

I'm not PHP developer, maybe it is needed another validation for not allowing to send the token by URL. But this could be a good start.

Answer 1 · 2022-06-03T15:19:47.000Z

JWT is not required in the url, you can send it in the http header when validating.

I use it like this with fetch api in js:

Switching methods from GET to POST means breaking changes and might not be very welcomed :)

Answer 2 · 2022-10-22T08:16:19.000Z

In order to support backward compatibility for the plugin, the /auth/validate endpoint supports both GET and POST method.