Request payload with key overrides token in cookies

[jmiller42ce]

Subject of the issue

Some of the JSON models that we POST to our API contain a property called token. Since this library initializes the parser chain order as AuthHeaders, QueryString, InputSource, RouteParams, Cookies in AbstractServiceProvider and LaravelServiceProvider, the token property in the JSON is being used as a JWT token instead of the value in the cookie.

Your environment:

Q	A
Bug?	yes
New Feature?	no
Framework	Laravel
Framework version	8.83.27
Package version	2.0
PHP version	8.2

Steps to reproduce

1. do not provide an authorization header, instead rely on the token contents in cookies (and therefore the cookie token parser).
2. POST a request with a payload containing a form data attribute token:

Expected behaviour

Cookie tokens should be parsed before InputSource, or an option to do this should be provided. Some other packages (such as Laravel Nova where this request originated) cannot add headers to API requests and apparently must rely on cookies for authentication with JWT, so this is preventing the use of this package for Nova resources which have a column named token.

Actual behaviour

The incorrect token is being used and therefore the request is unauthorized.

Note you can use a workaround here by overriding Laravel's AuthServiceProvider boot method and including this:

        $parser = $this->app['tymon.jwt.parser'];

        $parser->setChain([
            new PHPOpenSourceSaver\JWTAuth\Http\Parser\Cookies($this->app->make('config')->get('jwt.decrypt_cookies')),
            ...$parser->getChain()
        ]);