JWTManager uses undefined function "getCredentials" of class "Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken"

[nourheine]

Hi guys!
I'm using symfony 6 (after i upgrade from version 5.3) , I installed the bundle lexikJWTAuthenticationBundle, now i intent to decode the created token so i refere to this documentation:
https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/9-access-authenticated-jwt-token.html

I got this error when i use this code to decode the generated token
Attempted to call an undefined method named "getCredentials" of class "Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken"

I suppose that the decode function in Lexik\Bundle\JWTAuthenticationBundle\Services\JWTManager uses the function getCredentials that is deprecated in symfony 5.4 and removed in symfony 6.

I will appreciate any help! thanks in advance.

[fmarchalemisys]

Hi,

I just got hit by this bug.

The failure is caused by \Lexik\Bundle\JWTAuthenticationBundle\Services\JWTManager::decode() declared as expecting a TokenInterface which, as you pointed out, has no getCredentials() anymore.

It works when called with a JWTUserToken, PreAuthenticationJWTUserToken or JWTPostAuthenticationToken because they all define the getCredentials() method.

Unfortunately, no interface is defined to easily check the provided token is compatible with JWTManager::decode().

The only solution on your side is to check the method exists on the token before trying to decode it:

if (!\is_object($token) || !method_exists($token, "getCredentials")) {
    throw new \Exception("Not a jwt token");
}
$payload = $jwtManager->decode($token);
if ($payload === false) {
    throw new \Exception("Invalid jwt token");
}

Are you guys open to a PR adding a JWTTokenInterface and updating JWTManager::decode(JWTTokenInterface $token) (it will break custom tokens not implementing the new interface) or is the problem more structural than this (i.e. must get rid of getCredentials() altogether) or should the above check be included in JWTManager::decode() to cleanly return false while still accepting any TokenInterface ?

[chalasr]

Hi, sorry about the super late reply. but I'd need some reproducing code in order to understand the issue and eventually fix it. Please comment if you can provide that.

[fmarchalemisys]

Hi @chalasr ,

Can you tell us why this issue is closed, please?

The offending code is unchanged in v3 branch and v2 branch.

And, as far as I can see, \Symfony\Component\Security\Core\Authentication\Token\TokenInterface still has no getCredentials() method.

Running phpstan on vendor/lexik/jwt-authentication-bundle/Services/JWTManager.php (v2) rightly says:

 ------ -------------------------------------------------------------------------------------------------------------------- 
  Line   JWTManager.php                                                                                                      
 ------ -------------------------------------------------------------------------------------------------------------------- 
  108    Call to an undefined method Symfony\Component\Security\Core\Authentication\Token\TokenInterface::getCredentials().  
 ------ -------------------------------------------------------------------------------------------------------------------- 

Can you provide a link to the PR fixing the issue so I can review it?

[chalasr]

I closed the issue due to the lack of reply from the OP and more precisely the lack of reproducing code.
Please provide that missing reproducer or submit a PR directly if you'd like this to be fixed. Thanks!

[fmarchalemisys]

By a reproducer code, you mean something like this?

$token = new NullToken();
$this->jwtManager->decode($token);

Any class inheriting from TokenInterface will break the decode method. It happens on systems supporting other authentication methods apart from JWT.

As I stated, you don't even need a reproducer code. You might simply want to fix the error reported by phpstan on vendor/lexik/jwt-authentication-bundle/Services/JWTManager.php, just for the sake of having a clean code 🙂

It is hard for me to propose a PR as I don't even know what would be an acceptable solution. I suggested three possibilities in my previous message.

[SebLevDev]

Same issue
during test with phpunit i have a $token with TestBrowserToken class
in this case $token->getCredentials() === null and this occur an error

request.CRITICAL: Uncaught PHP Exception TypeError: "Lexik\Bundle\JWTAuthenticationBundle\Services\JWSProvider\LcobucciJWSProvider::load(): 
Argument #1 ($token) must be of type string, null given, 
called in /www/vendor/lexik/jwt-authentication-bundle/Encoder/LcobucciJWTEncoder.php on line 47" at LcobucciJWSProvider.php line 112

[chalasr]

PR welcome 🙏

[fmarchalemisys]

The PR is here: #1244