Chaining $response methods

#1

Cheers,

i am fairly new to slim and programming in php altogether. i’m enjoying the framework quite alot so far.

i’m sending my jwt in every response header with

return $response->withStatus(200)->withHeader($token);

that works as expected. if i add a withRedirect() or another withHeader(‘Location’ , ‘my route’) the token gets lost in space.

is there a possibility to add an array of headers to ->withHeader()? like [[‘token’, $token],[‘Location’,’my route’]]?
or maybe there is some neat other way?

thanks in advance!

ps: i followed daniel opitz’s tutorial on slim 4 - thanks alot for that. i couldn’t implement the jwtAuthentication from mika tuupola to that setup, thats why i’m running the withHeader thing for now…

#2

Welcome @stefanvz

A redirection in the HTTP protocol doesn’t support adding any headers to the target location. It’s basically just a header in itself and only allows a URL.

HTTP/1.1 307 Temporary Redirect
Location: https://example.com/

When you are adding your token header you are only sending that header back to the client:

HTTP/1.1 307 Temporary Redirect
Location: https://example.com/
token: ...

Other than HTTP cookies, there’s nothing in the protocol specification about forwarding headers. The client needs to implement this functionality.

If you only need the JWT in your client JavaScript, consider adding it as a search param to the redirect URL. The search params won’t be sent to the server when requesting a URL, so the token shouldn’t end up in any logs.

PHP

$response = $response->withRedirect('https://example.com#token={jwt}');

JavaScript

const token = (new URL(document.location)).searchParams.get('token')
#3

understood. thanks for your advice, will refactor my service and the client.

update: the cookie variant sounds promising. read some about http_only and other security settings lately. will scan through docs and forum to find prior discussions on the topic.