To be honest, I don't understand the concept of Laravel Sanctum. Before there was Sanctum, people used JWT. That always worked very well. In other frameworks in the Node context, I only use JWT. I am very confused by the paragraph about the SPA Auth (https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication). It talks about Sanactum also using the web auth. Does that mean that if I log in via the web route (auth), I can also use the api route (auth:sanctum)?
Thanks! Max
Related
the more I read about Laravel Spa (Vue) authentication, the more I ask myself about the "best way" to authenticate with Sanctum.
Official Laravel documentation says:
For this feature, Sanctum does not use tokens of any kind. Instead,
Sanctum uses Laravel's built-in cookie based session authentication
services. This approach to authentication provides the benefits of
CSRF protection, session authentication, as well as protects against
leakage of the authentication credentials via XSS.
But a lot of videos on YouTube or other tutorials on the internet all using (bearer) tokens which sounds contradictory to me. I mean, just using a single token for authentication seems to be a bit unsafe to me.
Also, some of those people defined "login" and "register" routes directly into Laravels route file, instead of using Vue router.
I'm using Laravel 8, VueJS 3 and Vuex 4.
So, what do you think: Am I on the right way by using Vue routes and sanctum authentication using cookies or not? And why?
Thank you, I appreciate that.
I am newbie with laravel.
I understand that in order to protect routes, you have to first check if a user is authenticated and a session is made. thus, we apply auth middleware in the web routes.
However, I am trying to implement laravel passport and now I am not able to proceed to my routes anymore since I have been authenticated using the passport.
My question is that is it possible to secure the web routes with passport token instead of laravel session? and if so, how one should do it?
Thanks, sorry for english, not native speaker.
Laravel passport is for API routes not for web routes you can use laravel session for web
for more details read it's documentation
https://laravel.com/docs/8.x/passport
Description
Currently, all my clients project was builded using Laravel Passport but recently I had read about the Laravel Sactum. It sounds similar to me.
Questions
I am getting really confuse? What are the main different between these two and in what scenario we should use each of them? Since we already have passport, what is the point of having Laravel Sactum? Any hints?
laravel passport follows oauth2 and is one of the implementations.
laravel sanctum provides a simple way for your authentication system for SPAs.
As you already used passport, there is no point to change to sanctum.
Sanctum is for the app that does not want to use the complex oauth2 flow.
To understand thing in dept
Article :https://divinglaravel.com/authentication-and-laravel-airlock
Notes: Laravel airlock(Old name) and Laravel sanctum(new name)
Youtube's Explanation: https://www.youtube.com/watch?v=LELn-3ZpH9I
My Summary (Benefits of Laravel Sactum)
If you are using spa(single page application, either vue, angular
or react). Need not to include the bearer token into the request. It
is automatically done after your first request to
/airlock/csrf-cookie. The whole idea is turn the stateless http to stateful http.
If we have a stateless application like mobile application or
others. We could easily create a stateless token using the following code.
$user->createToken(
'laravel-forge',
['server:create', 'server:delete']
);
Simplify maintenance part because programmer does not need to understand the concept of oauth2.
I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.
I am going to build an SPA with Laravel and Vuejs.
Since this will be my first large application using this combination, I had some questions that I wanted to ask because I didn't find a clear answer:
1: Authentication. When searching on the internet I found a lot of topics about authenticating with a JWT token. What is the advantage of using such a token instead of normal authentication? If I authenticate in the "normal" way and check for auth()->check() in my application I have the same result no?
2: Routing. Since I will be using Vue-router, my application will have Vue and Laravel based routes. Does that mean that the Laravel routes are defined as API calls? And should they be in the API route group then? Or are they just normal routes that belong to the application?
JWT tokens have some advantages over traditional session base authentication. For example you don store session data on server and save server resources , jwt tokens are available in your request amoung multiple servers and so on...
For further reading check this article :
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
2.Yes you should use laravel routes as restful apis