Validate JWT user token on each request


#1

Hi, I am using the @ADmad JWT Auth plugin. Mi problem now is that If I disable a user while JWT authenticated, the token continues usable. Is there anyway to check for every JWT request if the user exists, is enabled, etc., and if user access forbidden, deny the request?

Thanks!


#2

set the custom finder in auth config:

$this->loadComponent('Auth', [
            'storage' => 'Memory',
            'authenticate' => [
                'ADmad/JwtAuth.Jwt' => [
                    'userModel' => 'Users',
                    'finder' => 'auth', // <<<<HERE
                    'fields' => ['username' => 'id'],
                    'parameter' => 'token',
                    // Boolean indicating whether the "sub" claim of JWT payload
                    // should be used to query the Users model and get user info.
                    // If set to `false` JWT's payload is directly returned.
                    'queryDatasource' => true,
                ],
            ],

and in UsersTable.php

public function findAuth(Query $query, array $options)
    {
        $query->where(['is_enabled' => true]);
        return $query;
    }