feature #1300 feat: Support Symfony 8.x & web-token suite 4.x (dt-thomas-durand)

This PR was merged into the 3.x branch.

Discussion
----------

feat: Support Symfony 8.x & web-token suite 4.x

- Rewrote the configuration in php instead of xml (XML is deleted in Symfony 8)
- Fixed Coding Standard ; and UT
- Added support for web-token suite 4.x ; required to use Symfony 8

Commits
-------

570a64d feat: Support Symfony 8.x

Author: chalasr

.github/workflows/ci.yml

@@ -17,15 +17,15 @@ jobs:
             symfony: 6.4.*
             can-fail: false
           # LTS with last stable PHP
-          - php: 8.3
+          - php: 8.4
             symfony: 6.4.*
             can-fail: false
-            # Stable Symfony branches
-          - php: 8.3
-            symfony: 7.1.*
+          # Stable Symfony branches
+          - php: 8.4
+            symfony: 7.4.*
             can-fail: false
           - php: 8.4
-            symfony: 7.2.*
+            symfony: 8.0.*
             can-fail: false
 
     name: "PHP ${{ matrix.php }} - Symfony ${{ matrix.symfony }}${{ matrix.composer-flags != '' && format(' - Composer {0}', matrix.composer-flags) || '' }}"

.github/workflows/web-token-ci.yml

@@ -15,17 +15,21 @@ jobs:
                     # Lowest deps
                     - php: 8.2
                       symfony: 6.4.*
+                      jwt-bundle: 3.3
                       can-fail: false
                     # LTS with last stable PHP
-                    - php: 8.3
+                    - php: 8.4
                       symfony: 6.4.*
+                      jwt-bundle: 3.3
                       can-fail: false
-                      # Stable Symfony branches
-                    - php: 8.3
-                      symfony: 7.1.*
+                    # Stable Symfony branches
+                    - php: 8.4
+                      symfony: 7.4.*
+                      jwt-bundle: 4.0
                       can-fail: false
                     - php: 8.4
-                      symfony: 7.2.*
+                      symfony: 8.0.*
+                      jwt-bundle: 4.1
                       can-fail: false
 
         name: "PHP ${{ matrix.php }} - Symfony ${{ matrix.symfony }}${{ matrix.composer-flags != '' && format(' - Composer {0}', matrix.composer-flags) || '' }}"
@@ -51,7 +55,7 @@ jobs:
 
             - name: "Require web-token/*"
               run: |
-                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3"
+                  composer require --dev --no-update web-token/jwt-bundle:"^${{ matrix.jwt-bundle }}"
                   composer require --dev --no-update spomky-labs/aes-key-wrap:"^7.0"
 
             - name: "Install dependencies"

Command/EnableEncryptionConfigCommand.php

@@ -8,6 +8,7 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
 use Jose\Component\Encryption\JWEBuilder;
@@ -16,7 +17,6 @@
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

Command/MigrateConfigCommand.php

@@ -6,11 +6,11 @@
 use Jose\Component\Checker\ClaimCheckerManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\KeyManagement\JWKFactory;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

DependencyInjection/LexikJWTAuthenticationExtension.php

@@ -14,7 +14,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Extension\Extension;
-use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\HttpKernel\Kernel;
 
@@ -33,14 +33,14 @@ public function load(array $configs, ContainerBuilder $container): void
         $configuration = new Configuration();
         $config = $this->processConfiguration($configuration, $configs);
 
-        $loader = new XmlFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));
+        $loader = new PhpFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));
 
-        $loader->load('jwt_manager.xml');
-        $loader->load('key_loader.xml');
-        $loader->load('lcobucci.xml');
-        $loader->load('response_interceptor.xml');
-        $loader->load('token_authenticator.xml');
-        $loader->load('token_extractor.xml');
+        $loader->load('jwt_manager.php');
+        $loader->load('key_loader.php');
+        $loader->load('lcobucci.php');
+        $loader->load('response_interceptor.php');
+        $loader->load('token_authenticator.php');
+        $loader->load('token_extractor.php');
 
         if (empty($config['public_key']) && empty($config['secret_key'])) {
             $e = new InvalidConfigurationException('You must either configure a "public_key" or a "secret_key".');
@@ -89,7 +89,7 @@ public function load(array $configs, ContainerBuilder $container): void
         }
 
         if ($config['set_cookies']) {
-            $loader->load('cookie.xml');
+            $loader->load('cookie.php');
 
             $cookieProviders = [];
             foreach ($config['set_cookies'] as $name => $attributes) {
@@ -117,7 +117,7 @@ public function load(array $configs, ContainerBuilder $container): void
         }
 
         if (class_exists(Application::class)) {
-            $loader->load('console.xml');
+            $loader->load('console.php');
 
             $container
                 ->getDefinition('lexik_jwt_authentication.generate_keypair_command')
@@ -135,7 +135,7 @@ public function load(array $configs, ContainerBuilder $container): void
                 throw new LogicException('API Platform cannot be detected. Try running "composer require api-platform/core".');
             }
 
-            $loader->load('api_platform.xml');
+            $loader->load('api_platform.php');
 
             $container
                 ->getDefinition('lexik_jwt_authentication.api_platform.openapi.factory')
@@ -147,7 +147,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $this->processWithWebTokenConfig($config, $container, $loader);
 
         if ($this->isConfigEnabled($container, $config['blocklist_token'])) {
-            $loader->load('blocklist_token.xml');
+            $loader->load('blocklist_token.php');
             $blockListTokenConfig = $config['blocklist_token'];
             $container->setAlias('lexik_jwt_authentication.blocklist_token.cache', $blockListTokenConfig['cache']);
         } else {
@@ -205,9 +205,9 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
         if ($config['access_token_issuance']['enabled'] === false && $config['access_token_verification']['enabled'] === false) {
             return;
         }
-        $loader->load('web_token.xml');
+        $loader->load('web_token.php');
         if ($config['access_token_issuance']['enabled'] === true) {
-            $loader->load('web_token_issuance.xml');
+            $loader->load('web_token_issuance.php');
             $accessTokenBuilder = 'lexik_jwt_authentication.access_token_builder';
             $accessTokenBuilderDefinition = $container->getDefinition($accessTokenBuilder);
             $accessTokenBuilderDefinition
@@ -223,7 +223,7 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
             }
         }
         if ($config['access_token_verification']['enabled'] === true) {
-            $loader->load('web_token_verification.xml');
+            $loader->load('web_token_verification.php');
             $accessTokenLoader = 'lexik_jwt_authentication.access_token_loader';
             $accessTokenLoaderDefinition = $container->getDefinition($accessTokenLoader);
             $accessTokenLoaderDefinition
@@ -241,6 +241,14 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
                     ->replaceArgument(11, $config['access_token_verification']['encryption']['allowed_content_encryption_algorithms'])
                     ->replaceArgument(12, $config['access_token_verification']['encryption']['keyset'])
                 ;
+            } else {
+                $accessTokenLoaderDefinition
+                    ->replaceArgument(8, null)
+                    ->replaceArgument(9, null)
+                    ->replaceArgument(10, null)
+                    ->replaceArgument(11, null)
+                    ->replaceArgument(12, null)
+                ;
             }
         }
     }

Resources/config/api_platform.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Lexik\Bundle\JWTAuthenticationBundle\OpenApi\OpenApiFactory;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+return static function (ContainerConfigurator $container) {
+    $services = $container->services();
+
+    $services->set('lexik_jwt_authentication.api_platform.openapi.factory', OpenApiFactory::class)
+        ->private()
+        ->decorate('api_platform.openapi.factory', null, 0, ContainerInterface::IGNORE_ON_INVALID_REFERENCE)
+        ->args([
+            service('lexik_jwt_authentication.api_platform.openapi.factory.inner'),
+            '', // check path
+            '', // username path
+            '', // password path
+        ]);
+};

Resources/config/api_platform.xml

@@ -0,0 +1,32 @@
+<?php
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Lexik\Bundle\JWTAuthenticationBundle\EventListener\BlockJWTListener;
+use Lexik\Bundle\JWTAuthenticationBundle\EventListener\RejectBlockedTokenListener;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\BlockedToken\CacheItemPoolBlockedTokenManager;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\BlockedTokenManagerInterface;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+
+return static function (ContainerConfigurator $container) {
+    $services = $container->services();
+
+    $services->set('lexik_jwt_authentication.event_listener.block_jwt_listener', BlockJWTListener::class)
+        ->args([
+            service('lexik_jwt_authentication.blocked_token_manager'),
+            service('lexik_jwt_authentication.extractor.chain_extractor'),
+            service('lexik_jwt_authentication.jwt_manager'),
+        ])
+        ->tag('kernel.event_listener', ['event' => LoginFailureEvent::class, 'method' => 'onLoginFailure', 'dispatcher' => 'event_dispatcher'])
+        ->tag('kernel.event_listener', ['event' => LogoutEvent::class, 'method' => 'onLogout', 'dispatcher' => 'event_dispatcher']);
+
+    $services->set('lexik_jwt_authentication.event_listener.reject_blocked_token_listener', RejectBlockedTokenListener::class)
+        ->args([service('lexik_jwt_authentication.blocked_token_manager')])
+        ->tag('kernel.event_listener', ['event' => 'lexik_jwt_authentication.on_jwt_authenticated']);
+
+    $services->set('lexik_jwt_authentication.blocked_token_manager', CacheItemPoolBlockedTokenManager::class)
+        ->args([service('lexik_jwt_authentication.blocklist_token.cache')]);
+
+    $services->alias(BlockedTokenManagerInterface::class, 'lexik_jwt_authentication.blocked_token_manager');
+};

Resources/config/blocklist_token.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Lexik\Bundle\JWTAuthenticationBundle\Command\CheckConfigCommand;
+use Lexik\Bundle\JWTAuthenticationBundle\Command\EnableEncryptionConfigCommand;
+use Lexik\Bundle\JWTAuthenticationBundle\Command\GenerateKeyPairCommand;
+use Lexik\Bundle\JWTAuthenticationBundle\Command\GenerateTokenCommand;
+use Lexik\Bundle\JWTAuthenticationBundle\Command\MigrateConfigCommand;
+
+return static function (ContainerConfigurator $container) {
+    $services = $container->services();
+
+    $services->set('lexik_jwt_authentication.check_config_command', CheckConfigCommand::class)
+        ->args([
+            service('lexik_jwt_authentication.key_loader'),
+            '%lexik_jwt_authentication.encoder.signature_algorithm%',
+        ])
+        ->tag('console.command', ['command' => 'lexik:jwt:check-config']);
+
+    $services->set('lexik_jwt_authentication.migrate_config_command', MigrateConfigCommand::class)
+        ->args([
+            service('lexik_jwt_authentication.key_loader'),
+            '%lexik_jwt_authentication.pass_phrase%',
+            '%lexik_jwt_authentication.encoder.signature_algorithm%',
+        ])
+        ->tag('console.command', ['command' => 'lexik:jwt:migrate-config']);
+
+    $services->set('lexik_jwt_authentication.enable_encryption_config_command', EnableEncryptionConfigCommand::class)
+        ->args([service('Jose\Component\Core\AlgorithmManagerFactory')->nullOnInvalid()])
+        ->tag('console.command', ['command' => 'lexik:jwt:enable-encryption']);
+
+    $services->set('lexik_jwt_authentication.generate_token_command', GenerateTokenCommand::class)
+        ->public()
+        ->args([
+            service('lexik_jwt_authentication.jwt_manager'),
+            [], // user providers
+        ])
+        ->tag('console.command', ['command' => 'lexik:jwt:generate-token']);
+
+    $services->set('lexik_jwt_authentication.generate_keypair_command', GenerateKeyPairCommand::class)
+        ->args([
+            service('filesystem'),
+            '',
+            '',
+            '',
+            '',
+        ])
+        ->tag('console.command', ['command' => 'lexik:jwt:generate-keypair']);
+};