JWT Expire time not working for API with Api_Action?

yinsw · Post by **yinsw** » Thu Mar 28, 2024 1:42 pm

In the config file, below is the part of the configuration:

    "JWT" => [
        "SECRET_KEY" => "XXXXXXX", // JWT secret key
        "ALGORITHM" => "HS512", // JWT algorithm
        "AUTH_HEADER" => "X-Authorization", // API authentication header (Note: The "Authorization" header is removed by IIS, use "X-Authorization" instead.)
        "NOT_BEFORE_TIME" => 0, // API access time before login
        "EXPIRE_TIME" => 600 // API expire time
    ]

I created an API in API_ACTION, eg. getSalesTransaction.
I called the following using Postman in the following sequence:
/api/login
/api/getSalesTransaction/123

It works but if I try to call the 2nd API after 1 hour or the next day, it still can execute without having to login again. How does the timeout work or there is something I missed to configure?

arbei · Post by **arbei** » Thu Mar 28, 2024 5:10 pm

If you use the your API from the site (by Api_Action), you already have the JWT token (without the need to login via /api/login) as long as you have logged in. You need to test by logging out your site first.

yinsw · Post by **yinsw** » Fri Mar 29, 2024 3:36 pm

From this documentation:

Notes

To access protected resources from the API, you need to authenticate the user first by getting a JSON Web Token (JWT) using the login action, then you must pass the JWT as an authentication header (e.g. X-Authorization, see the advanced setting API JWT authorization header below) in subsequent API requests. Otherwise, you will get a 401 Unauthorized response if the API action is protected.

Each JWT has a limited timespan, so you may need to re-authenticate the user again once the token has expired.

If I understand from this, we need to call the \api\login API to get the JWT token. Once we get the JWT token, we can use it to call other APIs. Is it suppose to work this way? As long as we get the first JWT token, we can use it forever?
Point #2 says "Each JWT has a limited timespan,"... From what I tested using Postman, it does not expire.

arbei · Post by **arbei** » Fri Mar 29, 2024 6:27 pm

The docs is for REST API, see Supported API Actions, which does not include your own API actions by Api_Action. Your own API actions are not protected by JWT at all, so the JWT token are not checked.

If you want to protect your own API action similar to the built-in API action, you may check the JWT token yourself in your action. Refer to the source code of ApiPermissionMiddleware on how to check the JWT token.