Greetings.
I had implemented a JWT authorization system for my API, using a layout as a middleware for my endpoint pages. It was working fine until the update to the last version of October CMS (3.3.12).
This is the api.htm script I have in my current template folder:
description = "API Authorization"
==
function onStart()
{
//$token = Input::get('token');
//Instead we use header
$this['token'] = Request::header('Authorization');
try {
//Vdomah JWTAuth Method could generate exception
$this['user'] = JWTAuth::toUser($this['token']);
} catch ( \Exception $e ) {
//Token not validated
$this['user'] = null;
}
}
==
{% if user %}
{% page %}
{% else %}
{% do response({ error: 'Not Authorized',
JWT: token
}) %}
{% endif %}
And this is one of many endpoint pages:
title = "Authors"
layout = "api"
url = "/api-v1/authors/all/:orderby?id/:order?asc/:ipp?100"
[collection]
handle = "Content\Author"
==
{##}
{% set authors = collection.withTrashed().orderBy(this.param.orderby, this.param.order).paginate(this.param.ipp) %}
{% set pager = pager(authors) %}
{% set result = collect() %}
{% for author in authors %}
{% do result.push({
id: author.id,
modified: author.updated_at | date('U'),
deleted: author.deleted_at is null ? null : author.deleted_at | date('U'),
name: author.title,
description: author.description,
photo: author.photo.path,
}) %}
{% endfor %}
{% do response({
data: result,
links: pager.links,
meta: pager.meta,
}) %}
To handle the JWT tokens I’m using the plugin Vdomah JWTAuth 1.0.12, which uses the RainLab.User plugin (also updated to the last version 2.1.0).
The JWT generation/refresh mechanism was working fine until the update, but now I can get a response from the endpoints with any random token in the header, or even without any header. So validation is not in place anymore.
It seems that the layout script is being completely ignored, since I get the same response if I replace the {% page %} tag with an arbitrary HTML code.
Your comments and suggestions will be greatly appreciated.