2.0 Proposal #347
2.0 Proposal #347
Conversation
| @@ -108,10 +71,6 @@ public function getConfigTreeBuilder(): TreeBuilder | |||
| ->scalarNode('remove_token_from_body')->defaultTrue()->end() | |||
| ->end() | |||
| ->end() | |||
| ->scalarNode('logout_firewall') | |||
There was a problem hiding this comment.
We should depreciate it before we delete it
There was a problem hiding this comment.
Yeah, thanks for the reminder here. There are definitely a few things that could use a proper deprecation in a 1.x release that I'm now forgetting about since I've been sitting on this branch for so long 😬
There was a problem hiding this comment.
#350 for compat layer
| if (null === $tokenString) { | ||
| $event->setResponse( | ||
| new JsonResponse( | ||
| [ | ||
| 'code' => 400, | ||
| 'message' => 'No refresh_token found.', | ||
| ], | ||
| JsonResponse::HTTP_BAD_REQUEST | ||
| Response::HTTP_BAD_REQUEST |
There was a problem hiding this comment.
BTW, we should not overload a new response if one exists and let the "DefaultLogoutListener" set it
And also set a negative priority to be before the "CookieClearingLogoutListener"
There was a problem hiding this comment.
BTW, we should not overload a new response if one exists and let the "DefaultLogoutListener" set it
Well, this is a bit of a chicken vs. egg problem. The DefaultLogoutListener::onLogout() listener has a priority of 64, which makes it the first event listener to run on the logout event in the app for one of my company's bigger clients. So an if ($event->getResponse() === null) check isn't going to have a lot of value here without making it a higher priority than the default listener.
And also set a negative priority to be before the "CookieClearingLogoutListener"
The CookieClearingLogoutListener::onLogout() listener already has a priority of -255, so this listener is already running before that one (when it's enabled).
There was a problem hiding this comment.
Tell me if I'm wrong: in case your application uses a form_login on the same firewall as the refresh_jwt, the {firewall}.logout.path configuration will not work anymore because the response created by the DefaultLogoutListener will be overwritten by this listener.
And BTW, even in the current configuration of this bundle, we should have this case
There was a problem hiding this comment.
In that scenario, yeah, you're hosed.
This almost needs a generate_response config param TBH, one can then explicitly opt into whether this bundle generates (and potentially overwrites a previously set) response for the logout request.
You then need to split the cookie invalidation part of the listener off into another lower priority listener (maybe the same priority as CookieClearingLogoutListener::onLogout()) that way it runs as late in the process as possible and has a better chance of clearing the cookie on the right response object (in case another bundle or a listener in the app itself is doing something with the response).
There was a problem hiding this comment.
Yeah a config on the refresh_jwt like logout_path to check if the route match to generate the json response or not
|
@thomaspicquet Could you rebase the conflicts to keep this big one issue updated? Thanks |
mbabker
force-pushed
the
2.0-proposal
branch
2 times, most recently
from
8402feb
to
cb3294e
Compare
|
@mbabker I've been using your version 2.0 on production for a couple months now and its been working well ;) |
|
Please @markitosgv @mbabker, could we merge this for get rid of a lot deprecation warnings annoying? The 2.0 release is taking a lot time to happen. We need remove the deprecations and old code and release the 2.0 clean for Symfony 7.0 world. It is very annoying see the deprecations warnings from 1.0 release or master. All the uses from
Instead
Are spamming a lot project logs with deprecated. Thanks |
…r supports the request
…nager is not configured, fail when an OM can't be set up
What deprecations, specifically, are you hitting with this bundle's latest 1.x release that cannot be fixed? The bundle itself shouldn't be using its own deprecated code. If your issue is just the presence of
Is something in your project using the deprecated |
it some way, when I load the bundle, always hit https://github.com/markitosgv/JWTRefreshTokenBundle/blob/master/Entity/AbstractRefreshToken.php#L16 since the autoloaders with PSR4 load all the claseses. Since it is a interface, and it doesn't have a constructor, it is always loaded the trigger of deprecation and it should be only show when it is really in use. This was already mentioned at api-platform/core#4790 (comment) Regarding to ::create(), I am already using createForUserWithTtl():
|
It's no different than That deprecation being triggered isn't the autoloader arbitrarily including all files, but rather processes that eagerly scan and load files. I know API Platform has stuff that can do that (exactly as pointed out by that issue), moving those calls doesn't necessarily solve anything here (and if anything it's a higher risk change to introduce a constructor to an abstract class where one didn't exist previously). |
So, since we cannot avoid it, if 2.0 get released, then we can remove all trigger_deprecation() calls finally |
See #343 for details
I'm leaving it as split-up commits to make it a little easier to see how everything evolved.
If accepted as is, what I'd personally do is this: