PHPackages clarkwinkelmann/flarum-ext-jwt-cookie-login - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. clarkwinkelmann/flarum-ext-jwt-cookie-login ActiveFlarum-extension[Authentication & Authorization](/categories/authentication) clarkwinkelmann/flarum-ext-jwt-cookie-login =========================================== Stateless login for Flarum through JWT cookie 1.0.0(4y ago)48642MITPHP Since Apr 19Pushed 2y ago1 watchersCompare [ Source](https://github.com/clarkwinkelmann/flarum-ext-jwt-cookie-login)[ Packagist](https://packagist.org/packages/clarkwinkelmann/flarum-ext-jwt-cookie-login)[ RSS](/packages/clarkwinkelmann-flarum-ext-jwt-cookie-login/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (3)Versions (2)Used By (0) JSON Web Token Cookie Login =========================== [](#json-web-token-cookie-login) [![MIT license](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](https://github.com/clarkwinkelmann/flarum-ext-jwt-cookie-login/blob/master/LICENSE.md) [![Latest Stable Version](https://camo.githubusercontent.com/6adb39ec51089a7dff2fa2e337565b7caccc55db4590fcf3232d66dff9c75406/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f636c61726b77696e6b656c6d616e6e2f666c6172756d2d6578742d6a77742d636f6f6b69652d6c6f67696e2e737667)](https://packagist.org/packages/clarkwinkelmann/flarum-ext-jwt-cookie-login) [![Total Downloads](https://camo.githubusercontent.com/db17350a76208e36d67978e1e03646c21f4e9ea0f6570fc3a5438c5f1b7b0d37/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f636c61726b77696e6b656c6d616e6e2f666c6172756d2d6578742d6a77742d636f6f6b69652d6c6f67696e2e737667)](https://packagist.org/packages/clarkwinkelmann/flarum-ext-jwt-cookie-login) [![Donate](https://camo.githubusercontent.com/0d6e4d8b50b5983a58205941b1a581b1305903393b7a39da574e3f60af3c7f5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f70617970616c2d646f6e6174652d79656c6c6f772e737667)](https://www.paypal.me/clarkwinkelmann) This extension implements quasi-stateless JWT-based sessions in Flarum. The use case for this extension is implementing global login with an external platform serving as the master. Your code is responsible for setting and updating the cookie, and Flarum will automatically connect and/or create users based on the content of the JWT. No example code is available for the master implementation. The information below should allow you to implement it in any programming language. Users are matched through the `jwt_subject` column in the database that is matched to the token's `sub` value. By default, tokens are validated using Google Firebase public keys (automatically retrieved and cached from Google servers) but custom keys can also be used. A callback hook can be defined to obtain default values for new users from an external API. The JWT subject ID for the hook call can be retrieved by using the replacement code `{uid}` as part of the hook URL, by reading the JWT in the `Authorization` header or by reading the `data.id` value in the hook JSON POST body. The hook should return a [JSON:API](https://jsonapi.org/) compliant object describing the Flarum user attributes. These attributes will be passed internally to `POST /api/users` so any attribute added by an extension can also be provided. ``` { "data": { "attributes": { "username": "example", "email": "example@app.tld" } } } ``` The validity of the hook request can be checked via the `Authorization` header. It will contain `Token ` by default, but can be customized to a hard-coded secret token via the admin settings. The custom header setting will be applied verbatim as the header value, without any added prefix (i.e., `Token ` is not added). Users can be edited via their JWT subject ID by using the `PATCH /api/jwt/users/` endpoint. It works exactly the same way as `PATCH /api/users/` but takes the JWT subject ID instead of Flarum ID. By default, all accounts will be automatically enabled. You can change this behaviour by returning `"isEmailConfirmed": false` attribute in the registration hook. An admin user is used internally to call the REST API that creates new Flarum users. By default, user with ID `1` will be used but this can be customized in the admin settings. The value must be the Flarum ID (MySQL auto-increment) and not the JWT subject ID. The original Flarum session object (Symfony session) and cookie are not used for stateless authentication, however the cookie session is kept because Flarum and some extensions cannot work without it. This session object is not invalidated during "login" and "logout" of the stateless JWT authentication, so there could be issues with extensions that rely on that object for other purposes than validation messages. ### Hidden Iframe [](#hidden-iframe) The hidden iframe offers a way to refresh the cookie in the background and optionally to provide auto login. If the hidden iframe setting is set, the given URL will be loaded in a 0x0 iframe placed outside the browser viewport. The iframe can use [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to inform Flarum of a change in the session state. The message can be sent at any time and any number of times. You can use a loop repeatedly sending the current state if necessary. Flarum will check for a change in the reported state and prompt the user to refresh the page if it changes. If `{jwtSessionState: 'login'}` is sent while Flarum is logged out, Flarum will say the user has been automatically logged in and may refresh the page. If `{jwtSessionState: 'logout'}` is sent while Flarum is logged in, Flarum will say the session has expired and the user may refresh the page. If the time elapsed between Flarum boot and the `postMessage` is smaller than the configured "Auto Login Delay", the page will refresh without user interaction. Switching user without going through logout state is current not supported. Code example for the iframe: ``` window.parent.postMessage({ jwtSessionState: 'login', }, 'https://myforum.mydomain.tld'); ``` The last parameter should be set to the Flarum `origin`. `'*'` can also be used but isn't recommended. Installation ------------ [](#installation) ``` composer require clarkwinkelmann/flarum-ext-jwt-cookie-login ``` Support ------- [](#support) This extension is under **minimal maintenance**. It was developed for a client and released as open-source for the benefit of the community. I might publish simple bugfixes or compatibility updates for free. You can [contact me](https://clarkwinkelmann.com/flarum) to sponsor additional features or updates. Support is offered on a "best effort" basis through the Flarum community thread. **Sponsors**: Dater.com Links ----- [](#links) - [GitHub](https://github.com/clarkwinkelmann/flarum-ext-jwt-cookie-login) - [Packagist](https://packagist.org/packages/clarkwinkelmann/flarum-ext-jwt-cookie-login) - [Discuss](https://discuss.flarum.org/d/30632) ### Health Score 27 — LowBetter than 49% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity21 Limited adoption so far Community9 Small or concentrated contributor base Maturity48 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1485d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/0538135c1debcef5602dce7ece027909cc832b7a6284ab9189a19aa8de98d60d?d=identicon)[clarkwinkelmann](/maintainers/clarkwinkelmann) --- Top Contributors [![clarkwinkelmann](https://avatars.githubusercontent.com/u/5264300?v=4)](https://github.com/clarkwinkelmann "clarkwinkelmann (13 commits)") --- Tags jwtfirebaseflarum ### Embed Badge ![Health badge](/badges/clarkwinkelmann-flarum-ext-jwt-cookie-login/health.svg) ``` [![Health](https://phpackages.com/badges/clarkwinkelmann-flarum-ext-jwt-cookie-login/health.svg)](https://phpackages.com/packages/clarkwinkelmann-flarum-ext-jwt-cookie-login) ``` ### Alternatives [maicol07/flarum-ext-sso SSO for Flarum 468.3k](/packages/maicol07-flarum-ext-sso)[lucatacconi/crunz-ui User interface for lavary/crunz. Integrate Crunz library and funtions: Tabular, monthly or weekly interface to view the scheduled and executed tasks. Quick display of the execution result of the tasks that have been executed (Indicator icons easily show the result). Upload, download, edit or delete tasks. Forced run of the task, even outside the scheduled time with eventual display of the log once the execution is completed. It can be used with integrated Crunz or with a version of Crunz already installed on the system 161.5k](/packages/lucatacconi-crunz-ui) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)