PHP8 & lcobucci/jwt 4 compatibility #2117
Conversation
BREAKING CHANGE: The signature of `Tymon\JWTAuth\Providers\JWT\Lcobucci::__construct()` has been changed, because the previously injected dependencies are deprecated now. But it looks like it has only really been set up the way it was to facilitate testing, and the change should not affect users using it through the ServiceProvider.
All tokens were generated the same from the library, because the builder instance was not persistent between adding the claims.
Fixes "Error : Call to undefined method DateTimeImmutable::getValue()"
|
@tymondesigns any chance to review this? |
|
Can anybody merge this pull request please? :) |
|
@tymondesigns Can you please merge this pull request? |
|
Please merge @tymondesigns |
|
+1. This package is starting to conflict with other packages using version v4.x of |
|
Github is not allowing me to run the workflow/tests for this right now due to a 500 error. I will check back later to see if it's resolved. I may end up just re-creating the PR if I need to |
|
@tymondesigns any update about this, I'm using PHP8 and I'm using another library that require version 4 of |
|
I've made a temporary fork until this PR is merged and submitted it to Packagist. Might be useful for other people here. |
|
Come on, guys... @tymondesigns |
|
@tymondesigns A merge would be great 😄 |
|
What if he’s dead? :( |
|
Well I really hope he's OK and healthy. |
Just saying because I tried to contact through LinkedIn and there was no answer, also his Twitter has been dead for a while… |
He is alive! Please look at the github profile activity |
|
For those that can, I'd suggest migrating to https://laravel.com/docs/master/sanctum or https://laravel.com/docs/master/passport @tymondesigns has put a lot of work into this library to solve a problem that existed in 2016 (5-6 years ago) and like everybody else we thank him for his time and effort. Even though this project is sponsored by auth0 I don't think they are paying him enough to dedicate more time to it. It doesn't make much sense to provide updates/support when there are official libraries that will give you the same functionality. Giving the project to another maintainer on 99% of the cases is not an option as the person taking over would have to be trusted. |
Ok, but in this case that's a good solution, it's good for @tymondesigns to leave another maintainer to help him merge the PR's opened. |
|
I already send an email to him asking about this situation and see how can
we support him, otherwise will be hard to keep this going.
*Best Regards,*
*Fabio William Conceição*
*Remote: https://remote.com/fabiowilliam <https://remote.com/fabiowilliam>*
*Tel/Whastapp: +351 93 212 1477*
*Skype: fabioo.william.conceicao*
*LinkedIn:
https://www.linkedin.com/in/fabio-william-concei%C3%A7%C3%A3o-379b9823/
<https://www.linkedin.com/in/fabio-william-concei%C3%A7%C3%A3o-379b9823/>*
*Github: **https://github.com/Messhias/ <https://github.com/Messhias/>*
*Upwork: https://www.upwork.com/o/profiles/users/_~0126d10487b9843f68/
<https://www.upwork.com/o/profiles/users/_~0126d10487b9843f68/>*
Em qua., 14 de jul. de 2021 às 20:34, dir ***@***.***>
escreveu:
… Read through the code and looks well handled, also tested successfully on
local.
@tymondesigns <https://github.com/tymondesigns> please can you find
another(s) maintainer(s) for this repo? The issues and evolution are taking
too long.
Agreed, totally understand how draining it can be to run an open source
project @tymondesigns <https://github.com/tymondesigns>, so no worries,
but we would like to lift some weight off your shoulders in order to keep
this going.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2117 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAI3QQ2MGP2ZSEIBNOXVT3TTXXRFBANCNFSM43YDFBXA>
.
|
|
It's been 6 months, I hate to do this, but... fork inbound? This library has to do with security, and we can't go 6 months without a PR. I don't have time to manage this, but would be willing to help out. cc @Messhias @BenceSzalai |
|
I am happy to help when and where I can, and this applies to this repo as well as to forks, however I assume forking such a popular library would need wide community consensus and I'm certainly not the guy to build that out. Edit: Hopefully he will appoint some other maintainers if he's schedule stays too tight for the foreseeable future. |
I'm helping in the best way I can do too since I'm already in the Unreal Engine open source too trying to help, but the whole point of the topic and those PR's start being old is because the library is still a solo maintainer. And about changing, you're totally right in the case of this library because if you see there's already a wide developer using it, if you type "laravel JWT package" on google this library it's the ones show first, there's a plenty tutorial using it. So the best way to keep doing some work with consistency is @tymondesigns to take at least 4 more maintainers or at least 2, keep it going (even in a smoothy and slow way), and start-stop the gap of months between an acceptance of a PR to another. |
|
Any chance to get the new release with PR? |
|
HAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHAHAHAHHAHAHAHHAHAHAHAHAHHAHA |
|
@tymondesigns please, we can't move forward without this |
|
+1 |
|
Hi guys, I was facing the same problems with So, I've decided to build a package of my own that handles JWT auth for Laravel apps => https://github.com/rcerljenko/laravel-jwt Package highlights:
Who should use this package?
As I said, we already use this in our company on production projects and it looks stable, safe and it doesn't stops us from installing some packages that we couldn't before. Feel free to at least take a look and give some smart insight! Cheers! |
I almost changed to your package, but I don't see the reason for firebase be mandatory. |
|
@Messhias well you have to have some sort of JWT generator library like Lcobucci, Namshi, Firebase, etc... Alternative is to create your own provider but I don't see the point in that since these exist. |
Might be you can modulate your package too, like to accept working with or without it. I guess it'll help you out attract more maintainers. |
|
@Messhias I see... you mean like to add support for different JWT libraries so that user can choose via config file which one to use? That's a great idea but it adds an extra dependencies besides the default Firebase. |
Yes, it add, but you already added one, what's the problem with more dependencies? More robust libraries work in that way if this is your goal with your library. |
|
@Messhias my goal is really a simple, easy to use and easy to maintain library that serves it's purpose and that's a stable and secure JWT auth guard for Laravel apps... nothing more and nothing less |
@rcerljenko After release of a new version of Laravel, will you immediately drop support for the old versions? I am worried about the lts version (Laravel 9) |
|
@Barmunksu no. I will continue to support Laravel 8 as well as 9. No reason to drop support for now... |
Migrated pull request tymondesigns/jwt-auth#2117
|
@tymondesigns i absolutely understand you're probably on a new project or a new road. I can also understand that maybe you do not have the time to help with this anymore. What i can't understand is how you can be active on github and simply ignoring this. See, most of open source developers keep saying that: "it's open source, you can contribute too!" --- Well, on this specific issue people came together and helped. This is an issue keeping people from actually upgrading to PHP 8, which has been released almost one year ago. If you do not have the time to keep maintaining this, please ask for help. I'm sure people will come together and help (as they already did), but continuing to keep this specific issue (others as well) in limbo appears to me as bad faith. As always, i like to thank for the hard work to the developers who's packages i use and i think this is the case too. Even though i've only inherited a project stumbling on this issue, i think i can safely assume that this project is abandoned. I will probably move to other alternatives. Thank you for your time spent on building and maintaining this. |
Hi, |
|
PLease, love see this one merged! |
|
@wjonkerhulst the fork mentioned in the comment above yours has switched to This happened in the https://github.com/PHP-Open-Source-Saver/jwt-auth/releases/tag/1.1.0 release. Please see the migration guide at https://github.com/PHP-Open-Source-Saver/jwt-auth#migrating-from-tymondesignsjwt-auth |
|
@mfn I'm aware of that project. But to be honest, I do not have a lot of confidence in that project. Two examples. A bug as mentioned in PHP-Open-Source-Saver/jwt-auth#84 should not be able to happen. I feel like the feature was added to the project without understanding the ramifications. The problem is also not yet resolved which makes it a no-go for me to use it in my project. Furthermore in PHP-Open-Source-Saver/jwt-auth#89 @Messhias mentions being in a turbulent time. So I'm unsure if he is able and willing to keep up with the maintenance burden. |
|
I think it's very clear that this one won't be merged. Put your efforts in a fork or another solution, tymondesigns/jwt-auth is dead. |
|
Sad times for tymondesigns/jwt-auth |
…o version 4 and php 8
This PR addresses #2088, #2082, #2103 and probably others. It probably supersedes #2073 which does not include all required changes to update
lcobucci/jwtto v4.x. Also relates to topics mentioned under #2059.Existing tests are updated and pass, and I've also tried some basic use-cases. You can see 3 fixes in the gitlog. The "funny" thing is that those serious issues were not indicated by any automated tests. Probably it would be best to make some tests that check if the tokens are generated with the right content and validated properly, instead of only checking if mocked methods are being called. That being said, I cannot spend more time on this, so I'll leave it up to others.
Please note I'm not a security expert, so review before using this for anything serious!