I have a REST API made with symfony 4.4 and I am having problems in the authentication process. Everything works fine, but I am experiencing that sometimes the login_check returns 401 Unauthorized with users who days ago could access without problems. I am using LexikJWTAuthenticationBundle
Security:
security:
role_hierarchy:
ROLE_ADMIN: ROLE_ADMIN
ROLE_MANAGER: ROLE_MANAGER
ROLE_CLIENT: ROLE_CLIENT
ROLE_HOST: ROLE_HOST
encoders:
App\Entity\User:
algorithm: auto
providers:
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: app.jwt_authenticator_success_handler
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
anonymous: true
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
anonymous: ~
logout:
path: app_logout
delete_cookies: ['rhsso']
success_handler: logout_handler
# where to redirect after logout
# target: app_any_route
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
I have no idea what is going on. I'm trying to at least log the time where the credentials are verified but I can't find a way to intercept the code for the login_check route. I don't even know where that code is in symfony security. Any help with this? Thanks in advance.
/api/login_check path is probably defined in /config/routes/jwt.yaml or somewere in the config/routes...
may or may not shed some light
and if you run
you should find the class to intercept. Perhaps you could dig into the failure handler to find out why you get a 401. Token expiry sounds possible if its happening from time to time.