CURL always bypass authentication issue

Hi there,

I am new with Slim Framework, using JWT to protect my api. It helped me to protect, redirect to Auth page at abc.com/auth. After login with correct username/password, a cookie will be set ($_COOKIE[‘access_token’]) and client can see the homepage’s content.

But with a CURL from another site set URL to ‘abc.com’, all content of homepage’s shown (I call CURL from GUEST MODE, no cookie…).

This is my code, I hope someone can help me out ;)!

Br,

<?php
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Slim\Psr7\Response;
use Selective\BasePath\BasePathMiddleware;
use Slim\App;
use Slim\Middleware\ErrorMiddleware;

return function (App $app) {
// Parse json, form data and xml
$app->addBodyParsingMiddleware();
	
	$app->add(function (Request $request, RequestHandler $handler) {
		$before = '';
		$response = $handler->handle($request);
		$uri = $request->getUri();
		
		if( !isset($_COOKIE['access_token']) && $uri->getPath() != '/auth' ){
			

			return $response->withHeader('Location', '/auth')->withStatus(302);
		}else{
			$token = $_COOKIE['access_token'];
			
		}
		$existingContent = (string) $response->getBody();

		$response = new Response();
		$response->getBody()->write($before . $existingContent);

		return $response;
	});
	$app->add(function ($request, $handler) {
		$response = $handler->handle($request);
		$response->getBody()->write('AFTER');
		return $response;
	});
// Add the Slim built-in routing middleware
$app->addRoutingMiddleware();
	
	$app->add(BasePathMiddleware::class); // <--- here

// Catch exceptions and errors
$app->add(ErrorMiddleware::class);
};

I think that cookies and JWT are conceptually contrary, because a JWT is stateless and a cookie are not stateless. So my question is why do you mix this two different concepts? Why don’t you use just cookies for the login and the session?

Thank you for reply! I am using both for 2 different purposes:
1/ for Web user
2/ for API call from Web App (and Mobile App…)

My teacher helped me to fix this with this modified code (hope help someone else…)

Br,

<?php

use Psr\Http\Message\ServerRequestInterface as Request;

use Psr\Http\Server\RequestHandlerInterface as RequestHandler;

use Slim\Psr7\Response;

use Selective\BasePath\BasePathMiddleware;

use Slim\App;

use Slim\Middleware\ErrorMiddleware;

return function (App $app) {

    // Parse json, form data and xml

    $app->addBodyParsingMiddleware();

    

    $app->add(function (Request $request, RequestHandler $handler) {

        $before = 'Before';

        $response = $handler->handle($request);

        $existingContent = (string) $response->getBody();

        $response = new Response();

        $uri = $request->getUri();

        

        if( !isset($_COOKIE['access_token']) && $uri->getPath() != '/auth' ){

            $response->getBody()->write('Redirect...');

            return $response->withHeader('Location', '/auth')->withStatus(302);

        }else{

            $token = $_COOKIE['access_token'];

            

        }

        $response->getBody()->write($before . $existingContent);

        return $response;

    });

    $app->add(function ($request, $handler) {

        $response = $handler->handle($request);

        $response->getBody()->write('AFTER');

        return $response;

    });

    // Add the Slim built-in routing middleware

    $app->addRoutingMiddleware();

    

    $app->add(BasePathMiddleware::class); // <--- here

    // Catch exceptions and errors

    $app->add(ErrorMiddleware::class);

};