for testing and deploying your application
for finding and fixing issues
for empowering human code reviews
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
<?php
namespace WWON\JwtGuard;
use Illuminate\Auth\Events\Attempting;
use Illuminate\Auth\Events\Login;
use Illuminate\Auth\Events\Logout;
use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Contracts\Auth\Guard;
use Illuminate\Contracts\Auth\UserProvider;
use Illuminate\Http\Request;
use Illuminate\Session\TokenMismatchException;
use Tymon\JWTAuth\Exceptions\JWTException;
use Tymon\JWTAuth\Payload;
class JwtGuard implements Guard
{
use GuardHelpers;
/**
* @var string
*/
protected $token;
* @var TokenManager
protected $tokenManager;
* @var Request
protected $request;
* Indicates if the logout method has been called.
*
* @var bool
protected $loggedOut = false;
* JwtGuard constructor
* @param UserProvider $provider
* @param TokenManager $tokenManager
* @param Request|null $request
public function __construct(
UserProvider $provider,
TokenManager $tokenManager,
Request $request = null
) {
$this->provider = $provider;
$this->tokenManager = $tokenManager;
$this->request = $request;
}
* Get the currently authenticated user.
* @return \Illuminate\Contracts\Auth\Authenticatable|null
public function user()
// If we've already retrieved the user for the current request we can just
// return it back immediately. We do not want to fetch the user data on
// every call to this method because that would be tremendously slow.
if ($this->user) {
return $this->user;
if (!$token = $this->getBearerToken()) {
return $this->user = null;
try {
$payload = $this->getPayloadOfToken($token);
$user = $this->getUserByPayload($payload);
$this->user = $this->userHasToken($user, $payload) ? $user : null;
} catch (JWTException $e) {
$this->user = null;
* Retrieve the payload of the given token.
* @param string $token
* @return array
protected function getPayloadOfToken($token)
return app('tymon.jwt.auth')->setToken($token)->getPayload();
* Retrieve the user by the given payload.
* @param Payload $payload
* @return AuthenticatableContract|null
protected function getUserByPayload(Payload $payload)
return $this->provider->retrieveById($payload['sub']);
* Determine whether the user has a token attached.
* @param \Illuminate\Contracts\Auth\Authenticatable $user
* @return bool
protected function userHasToken($user, Payload $payload)
return $this->tokenManager->check($user->getAuthIdentifier(), $payload['jti']);
* Remove given token from the given user
* @param $user
protected function removeUserToken($user, Payload $payload)
$this->tokenManager->remove($user->getAuthIdentifier(), $payload['jti']);
* Validate a user's credentials.
* @param array $credentials
public function validate(array $credentials = [])
return $this->attempt($credentials, false);
* Attempt to authenticate a user using the given credentials.
* @param bool $login
public function attempt(array $credentials = [], $login = true)
$this->fireAttemptEvent($credentials, $login);
$this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
// If an implementation of UserInterface was returned, we'll ask the provider
// to validate the user against the given credentials, and if they are in
// fact valid we'll log the users into the application and return true.
if ($this->hasValidCredentials($user, $credentials)) {
if ($login) {
$this->login($user);
return true;
return false;
* Determine if the user matches the credentials.
* @param mixed $user
protected function hasValidCredentials($user, $credentials)
return ! is_null($user) && $this->provider->validateCredentials($user, $credentials);
* Fire the attempt event with the arguments.
* @return void
protected function fireAttemptEvent(array $credentials, $login)
if (isset($this->events)) {
$this->events->fire(new Attempting(
$credentials, false, $login
));
* Register an authentication attempt event listener.
* @param mixed $callback
public function attempting($callback)
$this->events->listen(Attempting::class, $callback);
* Log a user into the application.
public function login(AuthenticatableContract $user)
$userId = $user->getAuthIdentifier();
$token = $this->generateTokenForUserId($userId);
// If we have an event dispatcher instance set we will fire an event so that
// any listeners will hook into the authentication events and run actions
// based on the login and logout events fired from the guard instances.
$this->fireLoginEvent($user);
$this->setToken($token);
$this->setUser($user);
* generateTokenForUser method
* @param int $userId
* @return string
protected function generateTokenForUserId($userId)
$payload = app('tymon.jwt.payload.factory')->make(['sub' => $userId]);
$token = app('tymon.jwt.auth')->encode($payload);
$this->tokenManager->add($userId, $payload['jti']);
$userId
integer
object<WWON\JwtGuard\Claim>
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example:
function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x);
return $token->get();
protected function refreshTokenForUser($token)
$newToken = app('tymon.jwt.auth')->refresh($token);
$payload = $this->getPayloadOfToken($newToken);
$this->tokenManager->add($user->getAuthIdentifier(), $payload['jti']);
return $newToken;
* Fire the login event if the dispatcher is set.
* @param bool $remember
protected function fireLoginEvent($user, $remember = false)
$this->events->fire(new Login($user, $remember));
* Log the given user ID into the application.
* @param mixed $id
* @return \Illuminate\Contracts\Auth\Authenticatable
public function loginUsingId($id)
$this->login($user = $this->provider->retrieveById($id));
return $user;
* Log the user out of the application.
public function logout()
return;
if ($user = $this->getUserByPayload($payload)) {
} catch (TokenMismatchException $e) { }
$this->events->fire(new Logout($this->user));
// Once we have fired the logout event we will clear the users out of memory
// so they are no longer available as the user is no longer considered as
// being signed into this application and should not be available here.
$this->token = null;
$this->loggedOut = true;
* log this user out from every token
public function logoutAll()
$this->tokenManager->removeAll($user->getAuthIdentifier());
* Refresh user token
* @return string|null
public function refreshToken()
return null;
$user = $this->userHasToken($user, $payload) ? $user : null;
$this->removeUserToken($user, $payload);
$this->token = $this->refreshTokenForUser($token);
return $this->token;
* setToken method
public function setToken($token)
$this->token = $token;
* getToken method
* @return null|string
public function getToken()
* getBearerToken method
protected function getBearerToken()
$header = $this->request->header('Authorization', '');
if (starts_with(strtolower($header), 'bearer ')) {
return mb_substr($header, 7, null, 'UTF-8');
wisoot /
jwt-guard
wisoot
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: