Add set_cookie option to store JWT in secure cookies

DependencyInjection/Configuration.php

@@ -75,6 +75,19 @@ public function getConfigTreeBuilder()
                     ->info('If null, the user ID claim will have the same name as the one defined by the option "user_identity_field"')
                 ->end()
                 ->append($this->getTokenExtractorsNode())
+                ->arrayNode('set_cookie')
+                    ->canBeEnabled()
+                    ->children()
+                        ->scalarNode('name')
+                            ->defaultNull()
+                            ->info('The cookie name. If null, it will be the same as the one defined by the "token_extractors.cookie.name" option.')
+                        ->end()
+                        ->scalarNode('lifetime')
+                            ->defaultNull()
+                            ->info('The cookie lifetime. If null, it will be the same as the one defined by the "token_ttl" option.')
+                        ->end()
+                    ->end()
+                ->end()
             ->end();
 
         return $treeBuilder;

DependencyInjection/LexikJWTAuthenticationExtension.php

@@ -88,9 +88,22 @@ public function load(array $configs, ContainerBuilder $container)
         $container->setParameter('lexik_jwt_authentication.encoder.signature_algorithm', $encoderConfig['signature_algorithm']);
         $container->setParameter('lexik_jwt_authentication.encoder.crypto_engine', $encoderConfig['crypto_engine']);
 
+        $tokenExtractors = $this->createTokenExtractors($container, $config['token_extractors']);
         $container
             ->getDefinition('lexik_jwt_authentication.extractor.chain_extractor')
-            ->replaceArgument(0, $this->createTokenExtractors($container, $config['token_extractors']));
+            ->replaceArgument(0, $tokenExtractors);
+
+        if ($this->isConfigEnabled($container, $config['set_cookie'])) {
+            $loader->load('cookie.xml');
+            $container
+                ->getDefinition('lexik_jwt_authentication.cookie_provider')
+                ->replaceArgument(0, $config['set_cookie']['name'] ?: $config['token_extractors']['cookie']['name'])
+                ->replaceArgument(0, $config['set_cookie']['lifetime'] ?: $config['token_ttl']);
+
+            $container
+                ->getDefinition('lexik_jwt_authentication.handler.authentication_success')
+                ->replaceArgument(2, new Reference('lexik_jwt_authentication.cookie_provider'));
+        }
     }
 
     private static function createTokenExtractors(ContainerBuilder $container, array $tokenExtractorsConfig)

Resources/config/cookie.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <services>
+        <service id="lexik_jwt_authentication.cookie_provider" class="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider">
+            <argument>null</argument>
+            <argument>null</argument>
+        </service>
+        <service id="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider" alias="lexik_jwt_authentication.cookie_provider" />
+    </services>
+</container>

Resources/config/response_interceptor.xml

@@ -5,9 +5,15 @@
            xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
     <services>
+        <service id="lexik_jwt_authentication.cookie_provider" class="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\JWTCookieProvider">
+            <argument>null</argument> <!-- Default cookie name -->
+            <argument>null</argument> <!-- Default cookie lifetime -->
+        </service>
+
         <service id="lexik_jwt_authentication.handler.authentication_success" class="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler">
             <argument type="service" id="lexik_jwt_authentication.jwt_manager"/>
             <argument type="service" id="event_dispatcher"/>
+            <argument>null</argument> <!-- Cookie provider -->
             <tag name="monolog.logger" channel="security" />
         </service>
         <service id="Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler" alias="lexik_jwt_authentication.handler.authentication_success" />

Response/JWTAuthenticationSuccessResponse.php

@@ -2,6 +2,7 @@
 
 namespace Lexik\Bundle\JWTAuthenticationBundle\Response;
 
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 /**
@@ -15,8 +16,15 @@ final class JWTAuthenticationSuccessResponse extends JsonResponse
      * @param string $token Json Web Token
      * @param array  $data  Extra data passed to the response
      */
-    public function __construct($token, array $data = [])
+    public function __construct($token, array $data = [], Cookie $jwtCookie = null)
     {
+        if ($jwtCookie) {
+            parent::__construct($data);
+            $this->headers->setCookie($jwtCookie);
+
+            return;
+        }
+
         parent::__construct(['token' => $token] + $data);
     }
 }

Security/Http/Authentication/AuthenticationSuccessHandler.php

@@ -5,6 +5,7 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface as ContractsEventDispatcherInterface;
@@ -17,16 +18,22 @@
  * AuthenticationSuccessHandler.
  *
  * @author Dev Lexik <dev@lexik.fr>
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ *
+ * @final
  */
 class AuthenticationSuccessHandler implements AuthenticationSuccessHandlerInterface
 {
+    private $cookieProvider;
+
     protected $jwtManager;
     protected $dispatcher;
 
-    public function __construct(JWTTokenManagerInterface $jwtManager, EventDispatcherInterface $dispatcher)
+    public function __construct(JWTTokenManagerInterface $jwtManager, EventDispatcherInterface $dispatcher, JWTCookieProvider $cookieProvider = null)
     {
         $this->jwtManager = $jwtManager;
         $this->dispatcher = $dispatcher;
+        $this->cookieProvider = $cookieProvider;
     }
 
     /**
@@ -43,7 +50,13 @@ public function handleAuthenticationSuccess(UserInterface $user, $jwt = null)
             $jwt = $this->jwtManager->create($user);
         }
 
-        $response = new JWTAuthenticationSuccessResponse($jwt);
+        $cookie = null;
+
+        if ($this->cookieProvider) {
+            $cookie = $this->cookieProvider->createCookie($jwt);
+        }
+
+        $response = new JWTAuthenticationSuccessResponse($jwt, [], $cookie);
         $event    = new AuthenticationSuccessEvent(['token' => $jwt], $user, $response);
 
         if ($this->dispatcher instanceof ContractsEventDispatcherInterface) {
@@ -52,7 +65,17 @@ public function handleAuthenticationSuccess(UserInterface $user, $jwt = null)
             $this->dispatcher->dispatch(Events::AUTHENTICATION_SUCCESS, $event);
         }
 
-        $response->setData($event->getData());
+        $responseData = $event->getData();
+
+        if ($cookie) {
+            unset($responseData['token']);
+        }
+
+        if ($responseData) {
+            $response->setData($responseData);
+        } else {
+            $response->setStatusCode(JWTAuthenticationSuccessResponse::HTTP_NO_CONTENT);
+        }
 
         return $response;
     }

Security/Http/Cookie/JWTCookieProvider.php

@@ -0,0 +1,56 @@
+<?php
+
+namespace Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie;
+
+use Symfony\Component\HttpFoundation\Cookie;
+
+/**
+ * Creates secure JWT cookies.
+ */
+final class JWTCookieProvider
+{
+    private $defaultCookieName;
+    private $defaultCookieLifetime;
+
+    /**
+     * @param string|null $defaultCookieName
+     * @param int|null    $defaultCookieLifetime
+     */
+    public function __construct($defaultCookieName = null, $defaultCookieLifetime = null)
+    {
+        $this->defaultCookieName = $defaultCookieName;
+        $this->defaultCookieLifetime = $defaultCookieLifetime;
+    }
+
+    /**
+     * @param string                             $jwt
+     * @param string|null                        $name      The cookie name. If null, the default will be used.
+     * @param int|string|\DateTimeInterface|null $expiresAt The cookie expiration datetime. If null, the default one will be used
+     * @param null                               $domain
+     * @param null                               $path
+     *
+     * @return Cookie
+     */
+    public function createCookie($jwt, $name = null, $expiresAt = null, $sameSite = Cookie::SAMESITE_LAX, $domain = null, $path = '/')
+    {
+        if (!$name && !$this->defaultCookieName) {
+            throw new \LogicException(sprintf('The cookie name must be provided, either pass it as 2nd argument of %s or set a default name via the constructor.', __METHOD__));
+        }
+
+        if (!$expiresAt && !$this->defaultCookieLifetime) {
+            throw new \LogicException(sprintf('The cookie expiration time must be provided, either pass it as 3rd argument of %s or set a default lifetime via the constructor.', __METHOD__));
+        }
+
+        return new Cookie(
+            $name ?: $this->defaultCookieName,
+            $jwt,
+            null === $expiresAt ? (time() + $this->defaultCookieLifetime) : $expiresAt,
+            $path,
+            $domain,
+            true,
+            true,
+            false,
+            $sameSite
+        );
+    }
+}

Tests/Security/Http/Authentication/AuthenticationSuccessHandlerTest.php

@@ -4,9 +4,11 @@
 
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Authentication\AuthenticationSuccessHandler;
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTManager;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface as ContractsEventDispatcherInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
@@ -62,6 +64,25 @@ public function testHandleAuthenticationSuccessWithGivenJWT()
         $this->assertEquals('jwt', $content['token']);
     }
 
+    public function testOnAuthenticationSuccessSetCookie()
+    {
+        $request = $this->getRequest();
+        $token   = $this->getToken();
+
+        $cookieProvider = new JWTCookieProvider('access_token', 60);
+
+        $response = (new AuthenticationSuccessHandler($this->getJWTManager('secrettoken'), $this->getDispatcher(), $cookieProvider))
+            ->onAuthenticationSuccess($request, $token);
+
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(204, $response->getStatusCode());
+        $this->assertEmpty(json_decode($response->getContent(), true));
+
+        $cookie = $response->headers->getCookies()[0];
+        $this->assertSame('access_token', $cookie->getName());
+        $this->assertSame('secrettoken', $cookie->getValue());
+    }
+
     /**
      * @return \PHPUnit_Framework_MockObject_MockObject
      */