I have to dev a project with 5 microservices by now, but in a future it could have more than 50. And I have a big problem with the auth.
All microservices need auth to access to the information, here is the problem.
How I can do it?.
I thought some like that:
ms1.blabla.com
ms2.blabla.com
...
auth.blabla.com
Make an "auth" microservice and here store users, pass, tokens, and other stuffs.
It is ok? or any other suggestion?
Another problem is how I get the data from others services? I need to call every time to auth microservice in ms1 microservice before the fetch the data to check the token? like a middleware in every microservices?... It sounds very awful and making a lot of requests to auth.
Any know how to do it in the best way? some tutorial, example, packages, idk. Any idea is well receive.
Another problem is if use Laravel or Lumen (?). I thought Laravel on every project to make it more scalable in time, and the front-end in Vue. Or just Lumen cuz it now is just database and data, no more.
Thanks
if you need to handle auth in your API I really suggest relying on Passport (https://laravel.com/docs/8.x/passport) to handle authorization instead of building something from your own.
Regarding the choice of Laravel Vs Lumen it depends on how you plan to handle the frontEnd. Lumen is just a simpler / faster version of Laravel but you won't be able to handle session, cookies, etc.
If you are making requests to your microservices from several frontends (for example a website and a mobile app) I suggest to use Lumen and build only an API. You can find a more detailled article on differences between both here https://medium.com/#jeffalmeida_27473/laravel-vs-lumen-what-should-i-use-63c196822b2d
Related
I was handed over a project by my company, it was made in Laravel with livewire and Nova.The company wants me to redo the app by consuming API's written in Lumen.
The first thing that I want to ask is whether its a good idea and secondly how to go about storing jwt token in Laravel provided by the Lumen login API and use it in subsequent requests?
First question you need to ask is why do they want to rebuild something existing under Laravel to Lumen. Lumen is basically a lightweight version of Laravel. If the idea is to seperate the frontends from the backend you could keep using Laravel, it can definitely be used to define APIs.
Regarding your second question, there are already some existing libraries (https://github.com/dusterio/lumen-passport ) which can help you use Laravel Passport in Lumen, so you shouldn't have any issue and you should be able to use your token everywhere.
I am new to laravel and creating a REST API. The client of the API will be mobile app only. There is no front end view to be shown in browser. I have created the routes and the controllers to handle API requests. Furthermore I deleted the Users table (created by laravel) because I do not need an Web interface etc.
I just want simple token based authentication at this stage ( I am aware there is passport authentication) but I can not even understand that at this stage.
There is only one table in the project.
Candidates
(id (PK), name, phone, details)
mobile app users are candidates also, should I create a token column in this table ? and manually create token at the time of register API and return it back as response ?
Please any simple guide or directions will help, I have search quite a bit online and there seems to be quite a lot many topics that show up such as guards, providers, passport which I am struggling to get.
Thanks,
Elliot.
First of all, you didn’t need to delete the users table. You can use it for api auth too. You just need to create a seperate token table.
However, if you want to implementit manually you need to do a lot of things manually.
This is a huge thing to impelement manually and it's not possible to describe it in a single answer. I will try my best to explain it as simply as I can.
You have to create a authentication system yourself that is for login. Define a middleware to check the authorization of the token sent from client to check the validity of every request (this is the guard part).
Also keep track of the token expiry time. Refreshing the token after each expiry needs to be done too (this is the provider part).
Now there are a lot things inside. Like keeping track of the device the request is coming from, providing different tokens for differenet devices for a single user etc.
If you are into learning how everything works then you can try to build one yourself. But if you plan on deploying it to a professional website, I would suggest try to get accustomed with passport. Reinventing the wheel is really not necessary. I hope it gives you a basic idea. If you have any more questions feel free to comment.
I start building a new app and wonder what will be the best way to implement auth - security wise.
What are the cons, pros, and differences between the Laravel make:auth and using jwt-auth.
Is Laravel's default auth will be enough?
This description is pragmatic approach so you can do something else if you want.
I think while developing an API you should use JWT based authentication mechanism.
The Json Web Token(JWT) tokens includes user information in itself. So it giving so much important benefit to manage session. First and most important of the benefits is you can be manage sessions without storing them at server. I would like to explaint it just to avoid misunderstanding, you can have store it at server but it's not necessary except a few scenario. These scenarios depend on how you could designed your authentication.
I able to do a lot of more explains about of it but in summary if you are developing an API I propose you would use JWT-Token.
My backend and frontend are totally separated. One using Laravel 5.3 the other using VueJS 2.
My frontend doesn't need to authenticate users (public website). However my backend should be able to recognize that the API calls are being sent from my frontend and not some other client/frontend.
I know how to do this manually, but I would like to know if it's possible to do this out of the box with the Dingo package and also that the hostname or whatever way the API calls are being approved can't be spoofed by others?
You can add a custom element, like the csrf_field(), to all of your forms. If you have that element...then it's coming from you.
edit: Or json web tokens, but that's a bit more work.
I'm writing a RESTful API using Laravel 5. Out of the box, Laravel 5 provides a number of middleware services for authentication, etc.
I'm implementing a token-based authentication system for a RESTful API. My question is whether or not I should modify the existing Laravel 5 files or whether I should just ignore them and create my own middleware.
I know either would work but I'm more wondering about best practice particularly in the light of upgrading down the track as it always makes me a little nervous modifying the original code files in a framework. My normal expectation would be that a framework is kept in a separate folder from my application so that its clear which files can be safely modified with minimal effect on the upgrade path.
Not a direct answer to your question, and I have no personal experience with it, but if you hadn't seen it this may be what you're looking for: https://github.com/susomena/Laravel-Token-Auth
You can refer How to create Token-Based authentication in laravel 4?
There the answer includes link to a OAuth2-Server-Laravel which helps you to implement OAuth2 Token based Verification of requests for create Restful Api.
For documentation of OAuth2-Server0Laravel refer this link.