Authentication for public Laravel API - laravel

I'm making a public API to allow third party websites to interact with my app, I was wondering what the best way to manage authentication would be. I'm currently looking into using Laravel Passport but I'm slightly confused by how the workflow should work.
Should I create clients for my users to then request their own tokens with or should I just have one client that I use to request tokens with and give the tokens out to the users.
I would quite like to use Laravel Passport as that integrates OAuth2 which is a very well known standard for authentication, but from reading the Passport documentation, it does not seem written with the intent of creating a public API as all the client creation 'methods' are through running artisan commands, not through controller methods.
UPDATE
What I am currently looking in to is letting users create an OAuth client by writing a controller that uses the same sort of code included in the php artisan passport:client command but is in a controller so it can be done from a frontend webpage. This would then give the user a client ID and secret which they could then use to follow the standard OAuth flow by requesting an access token with it. I'm not sure how correct this is or if this is a bit too indepth for a quite basic API but this is what I am thinking

You can try using this library.
https://jwt-auth.readthedocs.io/en/develop/
It should work for your purposes.

Related

Elixir Phoenix Absinthe GraphQL API authentication in both web and mobile app's

I'm working on an Absinthe GraphQL API for my app. I'm still learning the procedure(so please go easy on me).
I've a Absinthe/GraphQL MyAppWeb.schema.ex file in which I use for my queries and mutations. My question is how do I use this API for authenticating the user on both Mobile and Web app?
How do set a cookie(httpOnly & secure) in my web app and access/refresh tokens in a single Absinthe API to serve my website and mobile app. Basically what I'm trying to learn is how do I authenticate the user based on specific platform.
If my question sounds bit confusing, I would be happy to provide more information related to my question. I would really be grateful if someone could explain the procedure, I've been very stuck on this for a while.
I would avoid using authentication mechanisms provided by absinthe(if there are any). Depending on what front-end you are using, I would go with JSON API authentication. The flow on server goes the following way:
Create a endpoint for login that will receive a user and password and will return a refresh token.
Create a endpoint for exchanging refresh token for access token.
Use a library like guardian to generate your refresh/access tokens.
Create a phoenix plug for authentication that will check your tokens, guardian has some built-in plugs for this.
Now on device you have to implement:
Ability to save refresh and access token on device.
Have a global handler for injecting access token on authorized requests.
Have a global handler for case when access token is expired. (you usually check if your request returns Unauthorized, then you should request a new access token from the server using your refresh token)
This seems like a crude implementation, however I would advise in implementing your system instead of using a black box library that you have no idea how it works under the hood.

Secured web application with API backend in Laravel

I've created a web application that uses the built-in authentication method for the web, once the user is authenticated he/she is presented with a dashboard page. At this moment Ajax calls to an API need to be made to fetch data for the logged-in user. What would be the correct approach to this to make it is secure?
As a next step, I would like to be able to use the API "stand-alone" as well, so a 3rd party could access the dataset through the API as well.
Right now I am looking into Laravel Passport as well as Spatie Permission package to help me with access control.
If you are using ajax calls in same domain it won't be problem with built-in authentication to give access to authorized users only, because tokens & sessions are accessible for laravel and you can get authenticated users by default.
If you want to make external api as well the best approach will be to use Laravel Passport and pass token in Authorization header as usual.
Hope this helps you

Laravel 5.6 storing API's session token server side

I have a laravel app that consumes an API.
Users can authenticate sending the email and password to the API which then verifies them with the database and sends back a randomly generated token which can be used to authenticate further calls with the API.
The laravel app uses CURL to call the API.
Now, I know that I can use laravel's session() to store the token, which I can further use into the API calls.
However, I don't feel like this is the best practice or the best way to do this in laravel.
Which brings me to my question, is this the best way to store API tokens in laravel?(server side)
Should I implement this by extending laravel's Auth with a custom guard?(kinda feels like to much overhead for a simple token storing concept).
What are the best practices in this cases?
Thank you.

API Security for a Laravel+Nuxt.js project

I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.

Laravel API Auth with Passport and React

I have a Laravel 5.5 Application that's using the session based auth out of the box. On some of these pages I have react components that need to get/post data from/to an API.
What is the best practice for handling this? Do I simply hide the API endpoints behind the auth? This would work but should I be using Laravel Passport for this instead?
I've had a play with Passport and it seems that this would work but I don't need users to be able to create clients and grant 3rd party applications permission etc. There is just the first party react app consuming the data from inside the laravel application (view).
From my initial experimenting with it, it seems I'd need to have the login call made first to receive an access token to then make further calls. As the user will already be authenticated in the session is there an easier way?
I'm not sure if Passport is intended to be used for this purpose or not. I'd rather take the time to get it right now as I'd like to get the foundations right now if the app scales.
You can proxy authentication with Passport. Using the password grant type users would still log in with their username/password, then behind the scenes make an internal request to Passport to obtain an access token.
Restrict what routes are available when registering in a service provider by passing in:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forTransientTokens();
});
That limits access to personal tokens and refresh tokens only. A client will be created when you run php artisan passport:install.
Setup a middleware to merge the password grant client id and secret in with the request, then make a call to the authorization endpoint. Then it's just a matter of returning the encrypted token and observing the Authorization header for requests to your api.

Resources