I am not 100% sure, but I think you want to override the createToken() method in ApiTokenCookieFactory. Add the IP in there.
Then you might wanna take the IP from the decoded JWT and throw an exception if it doesn't match the current on. Looks like you can do it in the decodeJwtTokenCookie() method of TokenGuard.
Are you storing those ips in the database @damku999 or only in the jwt?
This will only have effect if you save the jwt into the cookie. It seems the Firebase JWT PHP package is used for cookies and the League's server for Bearer tokens.
To save it in the Bearer token as well, you need to dig deeper into League's server implementation. I did so and it seems that they use lcobucci's library to handle the validation. You should implement your own constraint and somehow append it.
Sign in to participate in this thread!
We'd like to thank these amazing companies for supporting us