From 6b03808d36a29006a5af91842a6fa5d689147e3e Mon Sep 17 00:00:00 2001
From: Julien Nahum <julien@nahum.net>
Date: Wed, 7 May 2025 08:26:33 +0200
Subject: [PATCH] Enhance JWT Authentication Middleware and Configuration

- Updated the `AuthenticateJWT.php` middleware to conditionally skip IP and User Agent validation based on a new configuration setting, improving flexibility for users with dynamic IPs.
- Added a new configuration option `jwt_skip_ip_ua_validation` in `app.php` to control the validation behavior, allowing it to be set via the environment file.
- Updated documentation in `environment-variables.mdx` to include the new configuration option, ensuring users are informed about its purpose and usage.

These changes enhance the JWT authentication process by providing an option to bypass IP and User Agent validation, improving usability for self-hosted users.
---
 api/app/Http/Middleware/AuthenticateJWT.php  |  5 +++++
 api/config/app.php                           | 13 +++++++++++++
 docs/configuration/environment-variables.mdx |  1 +
 3 files changed, 19 insertions(+)

diff --git a/api/app/Http/Middleware/AuthenticateJWT.php b/api/app/Http/Middleware/AuthenticateJWT.php
index 82016196..e4da8d31 100644
--- a/api/app/Http/Middleware/AuthenticateJWT.php
+++ b/api/app/Http/Middleware/AuthenticateJWT.php
@@ -16,6 +16,11 @@ class AuthenticateJWT
      */
     public function handle(Request $request, Closure $next)
     {
+        // If skipping IP and UA validation is enabled in config, skip the rest
+        if (config('app.jwt_skip_ip_ua_validation')) {
+            return $next($request);
+        }
+
         // Parse JWT Payload
         try {
             $payload = \JWTAuth::parseToken()->getPayload();
diff --git a/api/config/app.php b/api/config/app.php
index dfe4daba..e409eb8b 100644
--- a/api/config/app.php
+++ b/api/config/app.php
@@ -68,6 +68,19 @@ return [
     'front_url' => env('FRONT_URL', null),
     'front_api_secret' => env('FRONT_API_SECRET', null),
 
+    /*
+    |--------------------------------------------------------------------------
+    | JWT IP and User Agent Validation
+    |--------------------------------------------------------------------------
+    |
+    | This value determines if the IP and User Agent validation for JWT tokens
+    | should be skipped. This can be useful for self-hosting users with dynamic IPs.
+    | Set this in your ".env" file.
+    |
+    */
+
+    'jwt_skip_ip_ua_validation' => env('JWT_SKIP_IP_UA_VALIDATION', false),
+
     /*
     |--------------------------------------------------------------------------
     | Application Timezone
diff --git a/docs/configuration/environment-variables.mdx b/docs/configuration/environment-variables.mdx
index 8dff5f89..9d4b6be8 100644
--- a/docs/configuration/environment-variables.mdx
+++ b/docs/configuration/environment-variables.mdx
@@ -41,6 +41,7 @@ There are dedicated configuration pages available for more detailed setup instru
 | `FRONT_API_SECRET`         | Shared secret with the front-end.             |
 | `TELEGRAM_BOT_ID`          | ID of your Telegram bot for notifications.    |
 | `TELEGRAM_BOT_TOKEN`       | Authentication token for your Telegram bot.   |
+| `JWT_SKIP_IP_UA_VALIDATION` | Set to `true` to disable JWT IP and User Agent validation (defaults to `false`). Useful for dynamic IPs. |
 
 ### User Options Environment Variables