Rather than passing an anonymous function to either the validateToken()
or validateJWT()
methods, you could create an invokable class in order to reuse the same validations:
use LittleApps\LittleJWT\Facades\LittleJWT;
use Illuminate\Support\Facades\App;
// Create validatable instance directly:
$validatable = new MyValidator();
// Pass $validatable callback array to validateToken method.
$passes = LittleJWT::validateToken($token, $validatable);
There's advantages to including the validatable in the config/littlejwt.php
configuration file:
The following is an example of configuration options for validatables:
return [
'validatables' => [
'default' => [
/**
* Validatable instance to use for this validator.
*/
'validatable' => \LittleApps\LittleJWT\Validation\Validators\DefaultValidator::class,
/* ... */
],
'guard' => [
/**
* Validatable instance to use for this validator.
*/
'validatable' => \LittleApps\LittleJWT\Validation\Validators\GuardValidator::class,
/* ... */
],
],
];
Little JWT comes bundled with a few pre-existing validatables. Each validatable has a key that can be used when specifying validatables for things like the middleware or validator rules.
default
The default validatable is used when it is set as the default validatable and the third parameter ($applyDefault
) is passed to the validateToken
or validateJWT
method as true
:
use LittleApps\LittleJWT\Facades\LittleJWT;
// Applies the default validatable:
$passes = LittleJWT::validateToken($token, null, true);
// The second parameter is null and third parameter is true by default:
$passes = LittleJWT::validateToken($token);
The default validatable checks that:
exp
(expires) claim is in the future.nbf
(not before) claim is in the past.iat
(issued at) claim is in the past.aud
(audience) claim equals what is set in config file.iss
(issuer) claim equals what is set in config file.The following outlines the configuration options you can set for the DefaultValidatable
in the config/littlejwt.php
file under validatables.default
:
Option | Type | Description |
---|---|---|
required |
array |
Indicates which claim keys must exist in the header or payload. This merely checks the claim keys, not if they're valid. |
leeway |
int |
How many seconds after the JWT expires to still be valid. |
alg |
string |
The expected value for the algorithm ('alg') header claim. |
iss |
string |
The expected value for the issuer ('iss') payload claim. |
aud |
string |
The expected value for the audience ('aud') payload claim. |
The stack validatable allows multiple validatables to be sent as a single validatable:
use LittleApps\LittleJWT\Facades\LittleJWT;
use LittleApps\LittleJWT\Validation\Validatables\StackValidatable;
$validatable1 = new MyValidatable();
$validatable2 = new MyOtherValidatable();
$stack = new StackValidatable([$validatable1, $validatable2]);
$passes = LittleJWT::validateToken(
$token,
// Pass the invokable StackValidatable class.
$stack,
// The default validatable will still be used if the third parameter is true.
false
);
You can also stack multiple callbacks as a single validatable:
use LittleApps\LittleJWT\Facades\LittleJWT;
use LittleApps\LittleJWT\Validation\Validator;
use LittleApps\LittleJWT\Validation\Validatables\StackValidatable;
$callback1 = function(Validator $validator) { /* ... */ };
$callback2 = function(Validator $validator) { /* ... */ };
$stack = new StackValidatable([$callback1, $callback2]);
$passes = LittleJWT::validateToken(
$token,
// Pass in a callback array referencing the validate method in the StackValidatable.
$stack,
// The default validatable will still be used if the third parameter is true.
false
);
guard
The guard validatable is used when the generic guard adapter is used. Since it's meant for the generic guard adapter, it's not recommended that you instantiate the GuardValidatable
class directly.
The guard validatable checks that:
sub
(subject) claim identifier (if the exists
option is true
).prv
(provider) claim equals the model class set in the configuration file (if the model
option is not false
).sub
(if the exists
option is true
).prv
(if the model
option is not false
).The following outlines the configuration options you can set for the DefaultValidatable
in the config/littlejwt.php
file under validatables.guard
:
Option | Type | Description |
---|---|---|
exists |
boolean |
If true, checks that a user exists with the sub (subject) claim identifier. This is separate than the user provider retrieving the user to associate with the guard. |
model |
string boolean |
The expected value for the provider ('prv') payload claim. If false, the 'prv' payload claim is not validated (not recommended). |
The fingerprint validatable is used when the guard adapter is set to the fingerprint adapter. Since it's meant for the fingerprint guard adapter, it's not recommended that you instantiate the FingerprintValidatable
class directly.
The fingerprint validatable checks that:
fgpt
claim securely equals the hash of the fingerprint cookie.There are no configuration options for the the fingerprint validatable.
As of version 1.6, the
Validatable
interface is deprecated and will be removed in future versions. Instead, use invokable classes.
Create a custom validatable by creating a class that implements the Validatable
interface:
use LittleApps\LittleJWT\Validation\Validator;
use LittleApps\LittleJWT\Contracts\Validatable;
class MyValidatable implements Validatable
{
public function __construct()
{
}
public function validate(Validator $validator)
{
/* ... */
}
}
Send a callback array referencing the validate()
method in the $validatable
instance to either the validateToken()
or validateJWT()
method:
use LittleApps\LittleJWT\Facades\LittleJWT;
$validatable = new MyValidatable();
$passes = LittleJWT::validateToken($token, [$validatable, 'validate']);
To take advantage of the configuration file (as explained above), add an entry to the config/littlejwt.php
configuration file. You must set the value of the 'validatable'
key to the fully qualified class name.
return [
'validatables' => [
/* ... */
'custom' => [
/**
* Validatable instance to use for this validator.
*/
'validatable' => \Path\To\MyValidatable::class,
// Configuration options are passed to the MyValidator instance.
'foo' => 'bar'
],
],
];
Make sure the constructor accepts the configuration as a parameter and sets it to a property. Any keys set in the configuration file entry (besides 'validatable') will be passed when the instance is created by the Laravel container.
use LittleApps\LittleJWT\Validation\Validator;
class MyValidatable
{
protected $config;
public function __construct(array $config)
{
$this->config = $config;
}
public function __invoke(Validator $validator)
{
/*
* Use the config property to access configuration options.
*
* Example:
* $foo = $this->config['foo'];
*/
}
}
Now that the validatable is registered in the configuration file, it can be resolved using Laravel's container. The alias is littlejwt.validatables.
followed by the key entry specified in the configuration file:
use LittleApps\LittleJWT\Facades\LittleJWT;
use Illuminate\Support\Facades\App;
$validatable = App::make('littlejwt.validatables.custom');
$passes = LittleJWT::validateToken($token, $validatable);
It can also be used with the provided Valid Token middleware:
Route::get('/protected', function () {
// Reaches here after token is validated with the custom validatable.
})->middleware('validtoken:custom');
The default validatable can be changed in the config/littlejwt.php
file.
return [
'defaults' => [
/* ... */
'validatable' => 'default'
]
];
The value for the defaults.validatable
key corresponds with a key set under validatables.*
.
return [
'validatables' => [
'default' => [
/* ... */
]
]
];