generate accessToken to retrieve data from api using passport - laravel

Is there any possible way to generate access Token so that when anyone
tries to retrieve data from the API they must pass the token as header
to get access to that
I have been searching for it but it every website is showing this->
$user = Auth::user();
$success['token'] = $user->createToken('MyApp')-> accessToken;
There won't be any user for this purpose, When the other website will hit this api with valid header it will atomatically send all the data to that device .....
can anyone help me with this any help would be highly appreciated ....

Why dont you create a database called token and store multiple token strings.
Then, whenever, a request hits the server it checks for that token is present or not in the https header.
This way you can create multiple tokens and share it with your API partners. However, this is always public so you might want to add security features on it.
Since you dont have users, there will not be a two way handshake such that you will have to keep sending same token on all requests
So my proposal would be use of API Secret keys.
Steps:
Store api keys in database tables
Send API keys in http headder
As soon as the request hits the server check if token is present in the header
IF token is present check if the token matches database records
By the way without a user the api token is not that secured.

Related

Oauth with same credentials and multiple sessions

I am working on an eCommerce Website and an App. We use SAP Hybris for OAuth 2.0.
To get an access token I send a Cliend ID, Client secret, Username and Password to the auth server.
Problem Example:
If I log in with the App first and then the Website, I won't be able to refresh my token in one of the sessions.
The token I receive from the server is pretty standard and looks like this:
{
"access_token":"9T7IziRSIM_QIqFtttM8rhf83zU",
"token_type":"bearer",
"refresh_token":"MztkOmh67gIEiMwX5sED-Rug51c",
"expires_in":43199,
"scope":"basic"
}
The only difference is that in the "Website Token" the expires_in would have a lower value than 43199 since it was requested after the "App Token".
Since both the access_token as well as the refresh_token are identical, the moment one of them expire and we try to fetch a new token the first session that does it will receive completely different credentials. As soon as the second session (which is now expired) tries to also refresh it's credentials the server will deny new credentials since the old credentials can be used only once to get new tokens.
Every 12 hours the tokens become expired and the first client to request a new token effectively logs out the other client by doing so.
Question:
What could I do to deal with this problem?
I was thinking it should be possible to send a unique ID to my request to generate a unique token. However I cannot find any information about this on the SAP Docs.

Is there is any way to identify where the API request comes from

I'm working on the Flutter app which is using APIs to get the data from the server. The flutter app is public and anyone can use without login to the application. And all working fine.
My question: is there is any way to identify where the API request comes from. Because anyone can use this API to get data and this may lead flooding the server.
If it is possible to find out from where the request is coming from, then I can process the request that is ONLY from my Flutter application.
Is it possible?
Use https as protocol and add an api key and client secret to your app.
Then protect your api with e.g. http basic auth or OAuth.
https://laravel.com/docs/7.x/authentication#stateless-http-basic-authentication
https://laravel.com/docs/7.x/passport
when the first request comes in to the server, issue a token, for example
(psuedo code)
//here stringContainingData can be a json string having details about the client and the connection
token = MyHashingFunctionUsingAPassword(stringContainingData,MyStrongPassword);
after sending back the token, next api access should contain the token with every request if not reject, if the token exists, do this
stringContainingData = MyDeHashingFunction(token,MyStrongPassword)
//verify data
mappedToken = stringToMap(stringContainingData);
if(mappedToken.containsKey('keyThatShouldBePresent') //acknowledge request
else //reject request
to reject further flooding, set max requests/second from a single IP

Laravel Airlock Token

Introduction/Background
I'm looking to enable token authentication for multiple microservices and users. Both applications and users are $user objects.
I need to be able to authenticate once (hence token) using an auth server on a subdomain. I then need to be able to pass around a token that can be managed (revoked/refreshed whatever) by the Auth server.
The microservices are Laravel based, so using Airlock makes sense. Airlock generates tokens easily using:
$token = $user->createToken(now())
However, I see no method to manually check the validity of these tokens... So I assumed they are available in the database.
Airlock suggests that the token be returned as follows:
$token->plainTextToken
This produces a token, as expected. To my understanding, this is a public facing token. It does not match the token in the personal_access_tokens table.
Lets call these PublicToken and PrivateToken.
The private token is actually located in:
$token->accessToken->token
I want to be able to manually switch between a PublicToken. I assume Airlock is doing some security here.. and I want to invoke these secure methods required to check a PublicToken against the PrivateToken.
Please do not say "it's in middleware" ... The point is that I have multiple microservices and usertypes sharing a database. I have an auth server that will end up on secure architecture, and some of the other microservices wont be.... fundamentally I need to do a manual authentication because normal plug and play wont work. Using Airlock as the foundation is great. But I need to be able to know how to convert between public and private tokens.
Essentially I'm looking for the real version of the following psuedocode:
if( someTranslationFunction($public_token) == $private_token ) ...
TLDR: The problem
How do I validate a $token->plainText value against a $token manually?

How to figure out the Token Name in the controller?

I have created a Laravel 5.4 App, which is a REST based API for serving out data about our inventory to customers.
I have implemented Passport based Authentication, and My customers create a 'Personal Access Tokens' and use that in their client requests. All of this is working fine.
I now need to meter the usage of the API to figure out which user, and which token (by Name) is making the request.
I am able to get the User by using $request->session();, but how do I get the name of the Token that is making the request?
Laravel passport searches for valid tokens in 2 locations:
the bearer token
a cookie
When boiled down, you could use this method to find the token you seek:
$token = $request->bearerToken() ?? $request->cookie(Passport::cookie());

How to keep access token for subsequent requests in website like in mobile app

I am developing a web api which will server mobile app and website, if as user access login service in api, user get validated and return back with access token, this access token will be stored in mobile and this access token will be used in subsequest requests for the resources in the api this is fine, but how can we store this access token in website(web browser) to use it for subsequest requests, shall we use sessions to store this access token, if so what about statelessness, if we store it in cokies it will be security treat right, please help me guys thanks in advance
I suggest you to store the access token in the browser's local storage.
Syntax to add
localStorage.setItem("appToken", token);
*where token is the value returned after successful authentication and appToken is the local variable holding that value.
Syntax to access token variable
var token = localStorage.appToken;
*you can access the same token in different pages so that you can hit APIs from there.
Syntax to remove the token
localStorage.removeItem("appToken");
*it's better to remove the token from appToken variable if you want to logout from the application.

Resources