Im trying to develop an app using Flutter which uses OTP to authenticate a user, ive setup Firebase Auth and everything is working fine, the app sends an SMS to the phone number that the user provided, but now im facing a problem with my Laravel based API, how do i login a user after the OTP auth is done ? surely i cant just send a login request tto my API using only his phone number seeing that its very insecure.
Im sure im missing something here and i would like some guidance.
Thank you
To verify the identity of the user in your backend code, send their ID token from the client to that backend, and verify the ID token there. Once you've verified the user's identity, you can then decide whether they are authorized for the action they are trying to perform.
Related
I'm a newbie in web development. Currently, I've learnt laravel framework and be researching about passport and socialite. I'm being stuck that after logging in the application successfully by their Facebook account how users get the access token for subsequent requests.
This has been implemented using Laravel Socialite. You can follow each step to implement Laravel Socialite.
You will get the information on how to create Secret Key & Access Key for social login.
https://github.com/jd-patel/laravel-social-login
I implemented JWT on the first VPS. On this server, I have controllers in Laravel and a database where users are stored. Now I want to add JWT on the second VPS. But JWT should get users from the first server. It should be something similar to login with a google password on different services or devices.
How to implement JWT on every next VPS? Are there any best practices for this solution?
On the second VPS, the user should only type his email address and login without entering the password if he is logged on the first VPS.
The first VPS should have some API, and when the user type an email on the second VPS it should ask the first VPS if a user is logged?
Looks like you are talking about SSO.
I did make a SSO feature using laravel passport.
So, the idea is you have a central app that handles authentication.
Any application that to login is considered a client. So, they will verify themselves as a valid client then you may obtain a user token from the client.
You may have a study on oauth2, passport.
my goal is to receive and send a notification from the server side which is laravel, and i don't know how to do it. Anyone please help me?
By default, Laravel ships with a simple solution to API authentication
via a random token assigned to each user of your application. In your
config/auth.php configuration file, an api guard is already defined
and utilizes a token driver. This driver is responsible for inspecting
the API token on the incoming request and verifying that it matches
the user's assigned token in the database.
Docs
If you are a beginner and you are learning and figuring out how to make apis and secure them, here you can learn Buidling a Blog Application with Laravel 5.6 and Ionic v4.
Laravel 5.6
I need to create a way for the mobile app users to be able to register an account in a Laravel based app and then log in and gain access to the API.
All user data and credentials will be stored in Laravel App. The mobile app will have to be authorised as long as the user doesn't log themselves out manually.
I read about the Resource owner credentials grant and it seems like the only way to use username/password to receive the token. The problem here is that client_secret has to be stored or generated on an mobile app. (?)
Some people use Implicit grant for mobile app but in my case I need to pass username and password and this method does not seem to offer that.
What is the simplest, "best practice" way of implementing this basic functionality using Passport?
I'm using the Expo Facebook login on my React Native app. In my app they can create and join events, which is done via API calls to my Laravel backend. I need these API calls to be authenticated (so some random person can't submit requests on someone else's behalf), but I don't want them to have to login twice. How can I ensure the person making API calls is who they say they are?
When they auth with Facebook they get their unique Facebook user ID, but I'm not sure if that is a secret they would only know after authenticating with FB or if anyone could get it. For my alpha version it's just sending their FB user ID with the request to ensure it's coming from the right person, but that seems really insecure because if anyone gets that ID they can forge requests.
One idea I had was to pass the auth token the React Native app got from Facebook to my API, and then on my server use that auth token to ensure it's really them. That just seems sort of complicated and it's hard to find a package that helps facilitate this, though.
It seems like this has to be a common problem. Any resources on how other apps handle this? Tinder, for example, must have this same problem.