For the sake of making my use-case more understandable, I'll classify services like Figma, WhatsApp, etc as SPAs. I've never received a page-expired error from those "SPAs".
So it is 2020, and we now also have Laravel 8: is it appropriate to use Sanctum to achieve such never-expiring SPA just by placing all routes in api.php, assuming that the SPA is in the same domain/subdomain with the Laravel app?
Btw, according to the Sanctum docs, this implies the use of API tokens for those API routes, but this kind of usage for first-party SPA is clearly not the intended use of Laravel Sanctum.
Maybe not the best way to achieve that but if it works you'll get your job done and I don't see the problem of making that even if it was intended for another use
It seems Sanctum cannot handle this case, because if request is from the frontend, it applies session based auth checks.
I have however proposed a possible update that can make this possible. Hopefully, it will be considered for implementation.
In the meantime, a sane workaround that does not pose any serious security threat for my use-case is to increase the session timeout
Related
To be honest, I don't understand the concept of Laravel Sanctum. Before there was Sanctum, people used JWT. That always worked very well. In other frameworks in the Node context, I only use JWT. I am very confused by the paragraph about the SPA Auth (https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication). It talks about Sanactum also using the web auth. Does that mean that if I log in via the web route (auth), I can also use the api route (auth:sanctum)?
Thanks! Max
Description
Currently, all my clients project was builded using Laravel Passport but recently I had read about the Laravel Sactum. It sounds similar to me.
Questions
I am getting really confuse? What are the main different between these two and in what scenario we should use each of them? Since we already have passport, what is the point of having Laravel Sactum? Any hints?
laravel passport follows oauth2 and is one of the implementations.
laravel sanctum provides a simple way for your authentication system for SPAs.
As you already used passport, there is no point to change to sanctum.
Sanctum is for the app that does not want to use the complex oauth2 flow.
To understand thing in dept
Article :https://divinglaravel.com/authentication-and-laravel-airlock
Notes: Laravel airlock(Old name) and Laravel sanctum(new name)
Youtube's Explanation: https://www.youtube.com/watch?v=LELn-3ZpH9I
My Summary (Benefits of Laravel Sactum)
If you are using spa(single page application, either vue, angular
or react). Need not to include the bearer token into the request. It
is automatically done after your first request to
/airlock/csrf-cookie. The whole idea is turn the stateless http to stateful http.
If we have a stateless application like mobile application or
others. We could easily create a stateless token using the following code.
$user->createToken(
'laravel-forge',
['server:create', 'server:delete']
);
Simplify maintenance part because programmer does not need to understand the concept of oauth2.
I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.
I'm currently building a Vue SPA with Laravel as my backend provider. I have reached a dilemma which I am yet to solve and it is thus:
a) I'm using Laravel Passport to authenticate my users. However, I'm getting a 302 status code whenever I issue a POST request to the Authentication route (/login). What would be the correct method to override this in the LoginController? A laravel_token is being associated with any requests I made to my API routes, which suggests that when I log in using the conventional login form, Passport is creating a token each time the request is sent.
b) How would I enforce policies in Vue? My first thought would be to route different levels of users e.g. Admins and Users via subdomains. Then I would use middleware on the subdomains and create new instances of Vue & VueRouter on the respective subdomains. My past experience says that this might be overkill and I find myself asking the questions here.
Being a lone developer means that I don't necessarily have anyone to discuss this with and studying Computer Science really doesn't help with Web-based programming ;)
Thank you in advance.
I am making a VueJS app with a Laravel backend. I see Laravel has Passport which is used to authenticate/authorize APIs. (Sincerely I have not yet succeeded in integrating Passport. I have not understood where the starting point is. Will post that question separately).
I have done a lot of searching and still have not found the best/easiest way of doing authentication and authorization, and also interface control depending on permission. (I know "best" is subjective but basically means a method that is easy to integrate, understand and use).
Anyone who has been there and used one that worked really well?
I generally use JSON Web Tokens for my web and mobile apps. It's simpler to set up than Oauth and is a better fit for many applications.
Basically, the user sends a POST request containing their authentication details to the appropriate endpoint and receives a token in response. The user can then include that token in the Authorization header of future requests to authenticate them.
The token also includes a timestamp for when it expires, and it can be decoded on the client side so that an application can refresh the token before it expires.
There's an excellent implementation of JWT for Laravel which I use all the time and can highly recommend. There are also client-side libraries for handling JWT with pretty much every framework under the sun.
#MatthewDaly, I followed your recommendation and I stumbled on a VueJs-Laravel JWT implementation here: http://jimfrenette.com/2016/11/laravel-vuejs2-jwt-auth/
I followed through the Tutorial and was able to make it work for my case. (Caveat: The post is slightly old (using Laravel 5.2), but with good understanding of Vue and Laravel, you can be able to follow and implement it easily).