Helo,
I would like to know how get token by user with laravel passeport ?
I don't want a user to access another user's resource.
I would like to verify that the user's token in the request corresponds to the user's token.
i get the request token with:
$token = $request->bearerToken();
i don't know how to get user token.
Thank you
If you've set up correctly then passport will keep track of the tokens of each user in each device. However, if you want to retrieve the token of the authenticated user simply use Auth::user()->token();
Related
I have been created PWA with NuxtJS,
then I'm going to use sanctum package, but I don't want to request to the typical Laravel /login route, because I have a customized api /login route which authenticates users with OTP, not by password!
So I'm wonder how can I use sanctum in this situation??
You can use Sanctum's token based authentication to achieve this. All you have to do is add the HasApiTokens trait to your authenticable model and issue new tokens for it on a successful login. So you would have a route which will accept phone number or email and perform a login action. This would trigger the application to send OTP to the user. You have to store the OTP somewhere on the system. Then create another endpoint where user's can send back the OTP they received. This route will then check if the provided OTP matches the one on the system and issue a token to the user.
$token = $user->createToken(<provide-a-token-name>);
Make sure to send back the plaintext token to the user using the plainTextToken function on the token instance. User's will need to add this token to requests as a bearer token in the Authorization header.
For my project I have a set of users that should only be able to login by requesting a Magic Link. So they have an email address but no password. To avoid security issues, my goal was to get this working without having to save an authentication token in LocalStorage.
I've tried setting this up the following way with Laravel Sanctum:
When requested, I create a token for the user and email them the plaintext version.
The user would open the link containing the token in the querystring.
I would attach the (Bearer) token with the Authorization Header.
The next step (I assumed) would be to call a custom /api/login endpoint that uses the 'auth:sanctum' middleware. The Bearer token would authenticate the user and then I would manually login the user with Auth::login(). After this the active Session would be used to authenticate the user, thus avoiding having to save the token in localStorage.
But I can't call the Auth::login() method manually without getting an error (BadMethodCallException: Method Illuminate\Auth\RequestGuard::login does not exist.).
I can't figure out why this isn't working, or maybe I am going at this all wrong?
if you sending Sanctum token to user via email so in 1st request you will get token from url and you can use that token to login to application like this
use Laravel\Sanctum\PersonalAccessToken;
public function login(Request $request)
{
$personalAccessToken = PersonalAccessToken::findToken($request->token);
$user = $personalAccessToken->tokenable;
auth()->login($user);
return redirect('/');
}
I have successfully managed to create registration and login API routes in Laravel where a bearer token is issued when the user successfully logs in. The user may then use said bearer token to access his/her information and logout and so the user and logout routes are protected by authorization header middleware. For now I have tested these APIs using postman. For the actual implementation, when a user successfully logs in - where should the bearer token be stored (cookies perhaps?) in order for the user's session to pass the bearer token and access other pages with his/her information? Moreover how could a remember me method be implemented? and should refresh tokens be implemented? In order to eliminate cases where the user is logged out during a session if the token expires.
Tia!!
Yes, you have to implement refresh tokens.
And yes it's good option to use the cookie for storing the token and the date of expirations. Once it's expired you have to call the refresh token endpoint and to update the token in the cookie.
About 'remember me' method. As long as you are not cleaning the cookie when the user leave the page you are kind of implementing this method and it will keep the user logged in untile the refresh token is no longer available.
I'm new to Laravel and JWT-auth. I've implemented the process of generating JWT tokens and getting the associated user in my back-end, but I'm still can not understand how the server verifies the authentication of a user from just a token stored on the client side.
If I log in on machine A and change my password on machine B, can I still log in from machine A with the previous token?
You have a 'users' table and generally another table like 'sessions'. When a user makes a request to login through your API, a new line into the 'sessions' table is inserted (the token is saved) and the API return the token to the user. For all requests that need authentification, the user will have to give this token (through HTTP header for example).
When you want to authentificate a user on a request you have to verify if the token exists and remains valid and then retrieve the user. Example in Lumen :
$this->app['auth']->viaRequest('api', function ($request) {
$session = Session::where(['token' => $request->header('token')])->get(); //user gives his token in the header request
if($session){
return $session->user(); //you have setup the hasOne/hasMany relationship between sessions and users
//the user is authenticated
}
return null;
// the user is not authenticated
});
"If I log in on machine A and change my password on machine B, can I still log in from machine A with the previous token?"
If the token is still valid and you allow multiple active sessions then yes. The token isn't set depending of the password.
I'm trying to build a laravel app that uses an api to get and update info. Some API routes should only be accessible to logged in users.
I have implemented JWT so on login a token is generated for user and passed to javascipt. Also I removed expiring from the tokens to avoid a situation where user can see admin panel but token is expired and he can't do anything.
So now I have a problem when if a user logs out and logs back in, he gets a new token, but the old token is still usable. How can I delete JWT token for a given user?