first time here.
I'm using LexikJWTBundle in a Symfony 4 API.
I created a Symfony command that at some point creates users.
Now, authentication works just fine on my local web server. But on production server, i got a {"code":401,"message":"Invalid credentials."}. However, if i reset the password (via another API endpoint), then i can log in.
curl -X POST -H "Content-Type: application/json" http://production-url/api/login -d '{"username":"PM-03792","password":"edc772cd"}'
The password edc772cd, generated at the user's creation, is matching with the hash $argon2id$v=19$m=65536,t=4,p=1$MDZEZy9VaEx6ZkhkM0ViWg$H+jkLemeDZG+3KrJ891qHw0J3g/2RP3M8EQlhOzExZI.
The production server's log
[error] AH10039: FastCGI: server "/homez.947/xqeknef/www/reservetacaisse/public/index.php" stderr: PHP message: [info] Matched route "login".
[error] AH10039: FastCGI: server "/homez.947/xqeknef/www/reservetacaisse/public/index.php" stderr: PHP message: [debug] SELECT t0.id AS id_1, t0.username AS username_2, t0.roles AS roles_3, t0.password AS password_4, t0.no_agent AS no_agent_5, t0.mail AS mail_6 FROM rtv_user t0 WHERE t0.username = ? LIMIT 1
[error] AH10039: FastCGI: server "/homez.947/xqeknef/www/reservetacaisse/public/index.php" stderr: PHP message: [info] Authentication request failed.
I use this code to generate my user, using the UserPasswordEncoderInterface and i reset his password the same way :
// [...]
$randomPassword = substr(sha1(random_bytes(5)), 0,8);
$user->setUsername($username)
->setMail($mail)
->setPassword($this->encoder->encodePassword($user, $randomPassword))
->setNoAgent($noAgent)
;
$this->em->persist($user);
// [...]
My configuration :
# security.yaml
security:
encoders:
App\Entity\User:
algorithm: auto
providers:
app_user_provider:
entity:
class: App\Entity\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/login
stateless: true
anonymous: true
provider: app_user_provider
json_login:
check_path: /api/login
username_path: username
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
refresh:
pattern: ^/api/token/refresh
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
provider: app_user_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
anonymous: ~
access_control:
- { path: ^/api/docs, roles: IS_AUTHENTICATED_ANONYMOUSLY } # Allows accessing the Swagger UI
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/reset-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/politique-de-confidentialite, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/documentation, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
- .env is in dev mode
- I cleared cache
- I regenerated RSA keys
I don't understand why auth works after resetting the password while (i think) nothing has changed but the hash who was already valid.
I'm a bit lost on what to do.
Thank you for your time
Marc, I'm sure that the cause in
You pass $user in encodePassword() and it's empty at the creation, but has ID on update.