My API was working well with classic JWT settings. But as I am trying to make a frontend ux for it, I'm trying to switch the bundle to cookie mode.
I changed my lexik_jwt_authentication.yaml like this :
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
token_ttl: 3600
remove_token_from_body_when_cookies_used: false //will remove that line once everything work fine
token_extractors:
cookie:
enabled: true
name: BEARER
set_cookies:
BEARER: ~
And my security.yaml :
security:
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
providers:
app_user_provider:
mongodb:
class: App\Document\User
property: username
firewalls:
login:
pattern: ^/login
stateless: true
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/
stateless: true
jwt: ~
access_control:
- { path: ^/login, roles: PUBLIC_ACCESS }
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
And in case it's helpful my routes.yaml :
controllers:
resource:
path: ../src/Controller/
namespace: App\Controller
type: attribute
api_login_check:
path: /login_check
When I'm trying to log in with Postman, everything works well. Except it is also working when I submit invalid credentials. API do return a 401 error with "Invalid credentials" in the response's body, just like before. But I also get a working token in a cookie. What's wrong with my setup ?