I am about to open source a React Native app which interacts with a Laravel backend in production.
However, the client_secret from Laravel Passport to generate auth tokens is saved in cleartext in the React Native repo.
What security should I be concerned about and are there best practices I should consider? Is it possible to import keys from .env into React Native project? Surely anyone who downloads the app would be able to get those keys anyway?
Related
I am planning a small project and have a question about authentication. I would like to implement the site with Laravel 8. However, as soon as the user has successfully logged in, he should be directed to the user dashboard. The User Dashboard should be a pure VueJS Single Page Application.
Now my question. Which auth should I use here? Session or token for the whole site or is both possible and useful?
If I use the token auth variant, for example, then I can protect the Vue app very well but I cannot access the user information outside the Vue app. For example, the current profile picture of the user should appear in the navbar and not only in the vue app but also on the landing page, contact page etc.
How can I do this and what will be the best practice and thanks for your help!
Use token based Authentication
(Laravel Passport)
Use Token-based authentication system.
In this way, you'll be able to manage the entire application UI and role checking in the frontend only. I would rather prefer to go with JWT [https://jwt-auth.readthedocs.io/en/develop/laravel-installation/]. It's easy to use and the documentation is pretty good. It's even supported by Lumen also. If you wish to integrate any micro-service in your application future, then it's available in Lumen micro-service also.
I have a Laravel project with a passport api. I want my other websites to connect to this same authentification. In the future, even ios and android apps can authentify too. How can i set my other laravel projets to use this api oauth? Can i guard my pages with it?
Before doing anything i want to know if this is possible or if there is a better idea of doing this.
Short answer: Yes, this is possible!
Long answer:
Passport provides OAuth2 which is the very same authentication protocol used by Sign in with Facebook and sing in with GitHub etc.
So your app with Passport is the user provider and your other apps are consumers. In the case of the consumers any OAuth2 client will do the trick (as long as you can create a custom provider for your Passport "server" app).
Laravel got your back with that too with: https://laravel.com/docs/5.8/socialite. You can create a custom provider for your Passport "server" app.
TL;DR: Just like you would implement "Sign in with GitHub" (if you did that before) you can implement "Sign in with my Passport app" by writing your custom OAuth2 provider.
I cannot show much code since this will be highly specific but I do hope my story helps you find the correct packages/articles on how exactly to do this for your use case!
I have integrated my react native app and laravel web app with laravel passport.
All my secret keys are managed server side (pusher, stripe payment, etc...) expect for the secret key from laravel passport which is needed for the mobile app to authenticate and talk to my website.
I understand that no secret key should be in the code but I have no idea how to manage differently...
Any suggestion? How do you manage this situation?
Thank you.
Is it possible to use Firebase for authentication of a Sinatra app in much the same way that I can use Auth0, and if so, how? The samples from Firebase all seem to assume single-page applications talking to a backend using JWT. Mine would be a traditional, fully server-side-rendered app.
We are building a firebase mobile app and need to put some payment (paypal) logic on a custom PHP backend (Laravel).
The question is what is the best solution to do authentication on the PHP side?
Currently we are thing in using API-Key library like https://github.com/chrisbjr/api-guard
Is there any better solution?