Skip to content

netgen/api-platform-extras

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.github/workflows
.github/workflows
 
 
config/doctrine
config/doctrine
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.php-cs-fixer.php
.php-cs-fixer.php
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
phpstan.neon
phpstan.neon
 
 

Repository files navigation

api-platform-extras

Configuration (config/packages/api_platform_extras.yaml):

api_platform_extras:
  features:
    # NOT IMPLEMENTED YET
    http_cache:
      enabled: false
    schema_decoration:
      enabled: false
      #Mark schema properties as required by default when the type is not nullable.
      default_required_properties: false
      #Add @id as an optional property to all POST, PUT and PATCH schemas.
      jsonld_update_schema: false
    # NOT IMPLEMENTED YET
    simple_normalizer:
      enabled: false
    jwt_refresh:
      enabled: false
      auto_refresh_cookie: false
      auto_refresh_header: false
      user_aware: false
      ignored_routes: []
      ignored_paths: []
      allowed_firewalls: []
    iri_template_generator:
      enabled: false
    schema_processor:
      enabled: false

Enable features by setting the corresponding flag to true.

JWT Refresh Feature

jwt_refresh is active only when:

  • api_platform_extras.features.jwt_refresh.enabled: true
  • at least one of:
    • api_platform_extras.features.jwt_refresh.auto_refresh_cookie: true
    • api_platform_extras.features.jwt_refresh.auto_refresh_header: true

If both auto-refresh flags are false, behavior is effectively the same as feature disabled.

user_aware defaults to false. When enabled, refresh token handling validates that the selected user provider supports the user class stored on the refresh token.

Related bundle config

JWT/refresh token names and header prefix are taken from Lexik/Gesdinet config (with bundle defaults):

  • lexik_jwt_authentication.token_extractors.authorization_header.prefix (default: Bearer)
  • lexik_jwt_authentication.token_extractors.authorization_header.name (default: Authorization)
  • lexik_jwt_authentication.token_extractors.cookie.name (default: BEARER)
  • gesdinet_jwt_refresh_token.token_parameter_name (default: refresh_token)

When Lexik extractor parameters are not exposed as container parameters, values are read from Lexik extractor service definition arguments.

Refresh token entity

When using custom refresh token entities, extend the bundle entity:

<?php

namespace App\Entity;

use Doctrine\ORM\Mapping as ORM;

#[ORM\Entity]
#[ORM\Table(name: 'project_prefix_refresh_token')]
class RefreshToken extends \Netgen\ApiPlatformExtras\Entity\RefreshToken {}

And configure Gesdinet to use your entity:

gesdinet_jwt_refresh_token:
  refresh_token_class: App\Entity\RefreshToken

Logout Configuration

Recommended config to invalidate both tokens and clear cookies with no custom app logic:

# config/packages/lexik_jwt_authentication.yaml
lexik_jwt_authentication:
  blocklist_token:
    enabled: true
# config/packages/security.yaml
security:
  firewalls:
    api:
      logout:
        path: app_logout
        delete_cookies:
          # JWT cookie configured in lexik_jwt_authentication.token_extractors.cookie.name
          jwt-bearer: ~
          # Refresh cookie configured in gesdinet_jwt_refresh_token.token_parameter_name
          refresh-token: ~
      refresh-jwt:
        invalidate_token_on_logout: true

Notes:

  • invalidate_token_on_logout: true (Gesdinet) deletes refresh token on logout.
  • blocklist_token.enabled: true (Lexik) blacklists JWT on logout.
  • This bundle normalizes Gesdinet 400 No refresh_token found. to 200 Logged out. for idempotent logout responses.

About

Extra bits for API Platform

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages