Description
Currently, all my clients project was builded using Laravel Passport but recently I had read about the Laravel Sactum. It sounds similar to me.
Questions
I am getting really confuse? What are the main different between these two and in what scenario we should use each of them? Since we already have passport, what is the point of having Laravel Sactum? Any hints?
laravel passport follows oauth2 and is one of the implementations.
laravel sanctum provides a simple way for your authentication system for SPAs.
As you already used passport, there is no point to change to sanctum.
Sanctum is for the app that does not want to use the complex oauth2 flow.
To understand thing in dept
Article :https://divinglaravel.com/authentication-and-laravel-airlock
Notes: Laravel airlock(Old name) and Laravel sanctum(new name)
Youtube's Explanation: https://www.youtube.com/watch?v=LELn-3ZpH9I
My Summary (Benefits of Laravel Sactum)
If you are using spa(single page application, either vue, angular
or react). Need not to include the bearer token into the request. It
is automatically done after your first request to
/airlock/csrf-cookie. The whole idea is turn the stateless http to stateful http.
If we have a stateless application like mobile application or
others. We could easily create a stateless token using the following code.
$user->createToken(
'laravel-forge',
['server:create', 'server:delete']
);
Simplify maintenance part because programmer does not need to understand the concept of oauth2.
Related
To be honest, I don't understand the concept of Laravel Sanctum. Before there was Sanctum, people used JWT. That always worked very well. In other frameworks in the Node context, I only use JWT. I am very confused by the paragraph about the SPA Auth (https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication). It talks about Sanactum also using the web auth. Does that mean that if I log in via the web route (auth), I can also use the api route (auth:sanctum)?
Thanks! Max
For the sake of making my use-case more understandable, I'll classify services like Figma, WhatsApp, etc as SPAs. I've never received a page-expired error from those "SPAs".
So it is 2020, and we now also have Laravel 8: is it appropriate to use Sanctum to achieve such never-expiring SPA just by placing all routes in api.php, assuming that the SPA is in the same domain/subdomain with the Laravel app?
Btw, according to the Sanctum docs, this implies the use of API tokens for those API routes, but this kind of usage for first-party SPA is clearly not the intended use of Laravel Sanctum.
Maybe not the best way to achieve that but if it works you'll get your job done and I don't see the problem of making that even if it was intended for another use
It seems Sanctum cannot handle this case, because if request is from the frontend, it applies session based auth checks.
I have however proposed a possible update that can make this possible. Hopefully, it will be considered for implementation.
In the meantime, a sane workaround that does not pose any serious security threat for my use-case is to increase the session timeout
I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.
I am going to build an SPA with Laravel and Vuejs.
Since this will be my first large application using this combination, I had some questions that I wanted to ask because I didn't find a clear answer:
1: Authentication. When searching on the internet I found a lot of topics about authenticating with a JWT token. What is the advantage of using such a token instead of normal authentication? If I authenticate in the "normal" way and check for auth()->check() in my application I have the same result no?
2: Routing. Since I will be using Vue-router, my application will have Vue and Laravel based routes. Does that mean that the Laravel routes are defined as API calls? And should they be in the API route group then? Or are they just normal routes that belong to the application?
JWT tokens have some advantages over traditional session base authentication. For example you don store session data on server and save server resources , jwt tokens are available in your request amoung multiple servers and so on...
For further reading check this article :
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
2.Yes you should use laravel routes as restful apis
I am kind of confused about recognizing the discrepancy between Laravel Passport and tymondesigns/jwt-auth package. Do they actually serve the same purpose of API authentication via tokens?
As long as Laravel Passport was introduced in 5.3+, is one supposed to use Passport instead of tymondesigns/jwt-auth package in the latest versions?
The "tymondesigns/jwt-auth" is a PHP Laravel implementation of the JWT protocol. On the other hand, Passport also uses JWT by default plus a huge extra, a complete Oauth2 implementation. Regarding the functionality, as I said they both use JWT thus you can use whichever you like to authentication via tokens. They both do their job and you'll have a secure API tokens implementation.
The difference comes if you would like a lightweight API tokens implementation or the plus of the Oauth2 server to allow more and other apps to communicate with your app. One of the most common cases would be how some random apps ask Google or Facebook for your user information. If you implement the Oauth2 server your app would allow any other app with a proper token to ask for data from your app.
"[...] Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Alex Bilbie." from https://laravel.com/docs/master/passport
For more details, I have made an explanation of Laravel Passport, JWT, Oauth2, and Auth0.
2021, Dec.
Laravel Passport does not sopport PHP 7.4. "psr/log" demands PHP 8. In case of PHP 7.4, use other solutions than Laravel Passport.