Laravel sanctum logout not working even after tokens are deleted - laravel

I have tried so many options I could think of or find online, user details are still persisted even after successful deletion of all the tokens!
I am using Laravel sanctum with Vue. The logout function I created works as expected when I use postman to make the request, but this is not the case when I make the request via axios from the browser. The tokens gets deleted quite alright but I still can access protected routes.
I have also tried
Auth::logout()
I have continued to try this using sanctum and web as guard.
Any help will be appreciated.

Related

Shopify JWT session token expired while making axios request call

I have created an app on laravel and vue.js and for the authentication process, I have used the laravel-shopify package. right now when the Axios call duration is long that time gets a session token expired error. I have already referred this solution but this was not worked for me.
Shopify App-bridge session token is having some issues while working with the vue.js and Axios?
Please check attached documents, please check.
video:- https://drive.google.com/file/d/1US2dzgcPWm6iQcK4SMS4b6q85q9l89Mx/view?usp=sharing
When I have passed many files to Axios, I don't want to get expire token error. Does anyone have a solution for this?

How to protect laravel api route from outside access but allow unrestricted access if request comes from frontend?

I'm building the backend with laravel and then using Vue as front-end. Data is accessed over api calls using axios. Now I have this relatively simple task but I can't seem to find the proper solution. I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use.
Things I have tried:
Using passport to protect my routes and then use passport's CreateFreshApiToken middleware. Protection works fine, unauthorized users are not able to access the routes, however I don't get laravel_token in my cookies and therefore I can't get access to that route if I'm not logged in.
Use passport's client credentials grant access. Works fine and the way I want it to work but doesn't really make sense because if I hardcode the client_secret - anyone can access it and then use it to access protected routes. If I make a proxy-like solution, to call a controller method, which would issue a valid token and thus not exposing client_secret to front-end but then anyone could just call that route which issues the token and it would be pointless once again.
Apparently the answer is pretty simple and I was overcomplicating things. I don't know if this is the right/elegant way to do this but basically. If you don't need your api to be accessible from other applications (which I didn't) we can just put routes in web.php instead of api.php. This will ensure that web middleware is used and so it will use the basic csrf token validation, which is totally sufficient for protection against outside requests. You can also leave the route in api.php and just use web middleware on that route. The outcome is exactly what I needed - application is getting data over a route without any need to login AND that route is not available over postman or anything else.

Best Way To Integrate Server Side Laravel Login VueJS SPA

How can I authenticate a user with sanctum when the whole login process happens server side? The question I am asking is kind of hard to phrase so I will explain my situation.
I have a Vue SPA for my front end and a Laravel app as a backend api (they run on the same domain). Normally, to authenticate with the laravel api using sanctum, you would send the credentials in a post request, and if the login was successful, you would get the session information returned. However, I want to use steam login for authentication. I already have to whole process on the backend figured out in terms of actually logging in, however I am unsure how to pass the session data back to the SPA. Currently I have a link on my site that takes the user to the login endpoint on the api, and that endpoint will have them authenticate with steam, so the entire login process is handled on the backend. Now I just need to figure out how to send the session data back to the SPA. I guess it world be similar to using sanctum with socialite.
So far I've tried usisng Sanctums Mobile Aplication Authentication. I did this by having the user log in into the laravel app using steam, then once authenticated, a access token for their account would be created, and they would get redirected back to the Vue apps call back file, with the token as a part of the query string. Then the token would be stored and . This worked, however it presented some security issues.
The token was passed back in the url, so anyone could screenshot it and use it
Anyone who obtained the token by some other method could use it.
Here is the code for what I tried: https://gist.github.com/DriedSponge/4e8549486c2bfa33e4c0b21a539bdf85
So in summary, I want the entire login process to take place on the server, but somehow at the same time authenticate the SPA. If you have any ideas on how I can make this work, please let me know. If you have any questions just leave a comment. Thanks in advance.

Authentication with VueX and Laravel Passport

I'm currently using Vue (and VueX) and Laravel Passport. I have my register page working fine, now I've moved into my Login page. All the tutorials and posts I've seen online show a login system where the generated token is stored in localStorage but I've seen also that everybody says we shouldn't store any sensitive data in localStorage, then how should I do it? How can I manage sessions if my frontend (VueX) is separated from my backend (laravel)?
It's alright to store the token in localStorage, what you need to do is set the expiry of the token for less time, let's say 2 days.
These lines should be added to AuthServiceProvider.php
Passport::tokensExpireIn(now()->addDays(2));
Passport::refreshTokensExpireIn(now()->addDays(30));

Laravel Passport not authenticating with JWT cookie (self consuming API)

I've gone through the entire page of documentation and as far as I can tell I have everything set up exactly as the documentation states. However, when I attempt to make a GET request to /api/users it always returns a 401 Unauthorized.
If I inspect the request, I see that the laravel_token is indeed being passed along with the request, as well as CSRF.
At this point, I'm not really sure why it's always failing to authenticate, but it's pretty frustrating and I'm sure it's something minor that I'm overlooking somehow.
I'm using Laravel 5.7.5.
Configuration steps done:
Ran php artisan passport:install
Added trait to User model
Added Passport::routes() to AuthServiceProvider::boot()
Changed API driver to passport in config/auth.php
Added CreateFreshApiToken::class to web middleware
After a lot of digging, I finally figured out what my issue was.
In version 5.6 and later of Laravel, cookies are no longer serialized/unserialized. However, Passport still expects that the cookies are serialized. Neither the documentation for Laravel or Passport point this out, and hopefully they'll get more in sync so this isn't an issue.
To fix this, you just need to add Passport::withoutCookieSerialization(); to app\Providers\AuthServiceProvider::boot()

Resources