opnform/app/Http/Middleware/AuthenticateJWT.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Tymon\JWTAuth\Exceptions\JWTException;

class AuthenticateJWT
{
    const API_SERVER_SECRET_HEADER_NAME = 'x-api-secret';

    /**
     * Verifies the JWT token and validates the IP and User Agent
     * Invalidates token otherwise
     */
    public function handle(Request $request, Closure $next)
    {
        // Parse JWT Payload
        try {
            $payload = \JWTAuth::parseToken()->getPayload();
        } catch (JWTException $e) {
            return $next($request);
        }

        // Validate IP and User Agent
        if ($payload) {
            if ($frontApiSecret = $request->header(self::API_SERVER_SECRET_HEADER_NAME)) {
                // If it's a trusted SSR request, skip the rest
                if ($frontApiSecret === config('app.front_api_secret')) {
                    return $next($request);
                }
            }

            $error = null;
            if (!\Hash::check($request->ip(), $payload->get('ip'))) {
                $error = 'Origin IP is invalid';
            }

            if (!\Hash::check($request->userAgent(), $payload->get('ua'))) {
                $error = 'Origin User Agent is invalid';
            }

            if ($error) {
                auth()->invalidate();
                return response()->json([
                    'message' => $error
                ], 403);
            }
        }

        return $next($request);
    }
}
JWT token IP restriction 2024-01-09 09:43:07 +00:00			`<?php`

			`namespace App\Http\Middleware;`

			`use Closure;`
			`use Illuminate\Http\Request;`
			`use Tymon\JWTAuth\Exceptions\JWTException;`

			`class AuthenticateJWT`
			`{`
URL generation (front&back) + fixed authJWT for SSR 2024-01-11 13:07:27 +00:00			`const API_SERVER_SECRET_HEADER_NAME = 'x-api-secret';`
JWT token IP restriction 2024-01-09 09:43:07 +00:00
			`/**`
			`* Verifies the JWT token and validates the IP and User Agent`
			`* Invalidates token otherwise`
			`*/`
			`public function handle(Request $request, Closure $next)`
			`{`
			`// Parse JWT Payload`
			`try {`
			`$payload = \JWTAuth::parseToken()->getPayload();`
			`} catch (JWTException $e) {`
			`return $next($request);`
			`}`

			`// Validate IP and User Agent`
			`if ($payload) {`
URL generation (front&back) + fixed authJWT for SSR 2024-01-11 13:07:27 +00:00			`if ($frontApiSecret = $request->header(self::API_SERVER_SECRET_HEADER_NAME)) {`
			`// If it's a trusted SSR request, skip the rest`
			`if ($frontApiSecret === config('app.front_api_secret')) {`
			`return $next($request);`
			`}`
			`}`

JWT token IP restriction 2024-01-09 09:43:07 +00:00			`$error = null;`
			`if (!\Hash::check($request->ip(), $payload->get('ip'))) {`
			`$error = 'Origin IP is invalid';`
			`}`

			`if (!\Hash::check($request->userAgent(), $payload->get('ua'))) {`
			`$error = 'Origin User Agent is invalid';`
			`}`

			`if ($error) {`
			`auth()->invalidate();`
			`return response()->json([`
			`'message' => $error`
			`], 403);`
			`}`
			`}`

			`return $next($request);`
			`}`
			`}`