I have a database of users that work with web login based on laravel sessions. Now I want to generate an api token for each of these users for an api login, how can I generate it? I have already migrated to the database for this new column but I need each user to have their api token.
I'd recomment you to use Laravel Passport. APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
If You need session mechanism then You should use Laravel Passport.
But if You are building traditonal stateless REST Api then you can use API Authentication
Related
I am currently using a API to validate Login Credentials.
I have gotten to the point where I am sending username/password correctly.
This API will return a bolean, depending on if those credentials are correct.
Along with the entire user's information, including their address etc.
How can I correctly store this into Laravel Auth, so I can use Auth::user etc in blade?
I do NOT have Database access, only API access to validate user login details.
I cannot create a local - Laravel database, as this application has to be completely API based.
I am using Guzzle to query the API.
You should try using JWT for authentication, implementing your own API Authentication can cause some security issues if not done right.
Also JWT for Laravel already has support for Laravels Authentication system
I am going to build an SPA with Laravel and Vuejs.
Since this will be my first large application using this combination, I had some questions that I wanted to ask because I didn't find a clear answer:
1: Authentication. When searching on the internet I found a lot of topics about authenticating with a JWT token. What is the advantage of using such a token instead of normal authentication? If I authenticate in the "normal" way and check for auth()->check() in my application I have the same result no?
2: Routing. Since I will be using Vue-router, my application will have Vue and Laravel based routes. Does that mean that the Laravel routes are defined as API calls? And should they be in the API route group then? Or are they just normal routes that belong to the application?
JWT tokens have some advantages over traditional session base authentication. For example you don store session data on server and save server resources , jwt tokens are available in your request amoung multiple servers and so on...
For further reading check this article :
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
2.Yes you should use laravel routes as restful apis
I have a Laravel 5.5 Application that's using the session based auth out of the box. On some of these pages I have react components that need to get/post data from/to an API.
What is the best practice for handling this? Do I simply hide the API endpoints behind the auth? This would work but should I be using Laravel Passport for this instead?
I've had a play with Passport and it seems that this would work but I don't need users to be able to create clients and grant 3rd party applications permission etc. There is just the first party react app consuming the data from inside the laravel application (view).
From my initial experimenting with it, it seems I'd need to have the login call made first to receive an access token to then make further calls. As the user will already be authenticated in the session is there an easier way?
I'm not sure if Passport is intended to be used for this purpose or not. I'd rather take the time to get it right now as I'd like to get the foundations right now if the app scales.
You can proxy authentication with Passport. Using the password grant type users would still log in with their username/password, then behind the scenes make an internal request to Passport to obtain an access token.
Restrict what routes are available when registering in a service provider by passing in:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forTransientTokens();
});
That limits access to personal tokens and refresh tokens only. A client will be created when you run php artisan passport:install.
Setup a middleware to merge the password grant client id and secret in with the request, then make a call to the authorization endpoint. Then it's just a matter of returning the encrypted token and observing the Authorization header for requests to your api.
I am kind of confused about recognizing the discrepancy between Laravel Passport and tymondesigns/jwt-auth package. Do they actually serve the same purpose of API authentication via tokens?
As long as Laravel Passport was introduced in 5.3+, is one supposed to use Passport instead of tymondesigns/jwt-auth package in the latest versions?
The "tymondesigns/jwt-auth" is a PHP Laravel implementation of the JWT protocol. On the other hand, Passport also uses JWT by default plus a huge extra, a complete Oauth2 implementation. Regarding the functionality, as I said they both use JWT thus you can use whichever you like to authentication via tokens. They both do their job and you'll have a secure API tokens implementation.
The difference comes if you would like a lightweight API tokens implementation or the plus of the Oauth2 server to allow more and other apps to communicate with your app. One of the most common cases would be how some random apps ask Google or Facebook for your user information. If you implement the Oauth2 server your app would allow any other app with a proper token to ask for data from your app.
"[...] Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Alex Bilbie." from https://laravel.com/docs/master/passport
For more details, I have made an explanation of Laravel Passport, JWT, Oauth2, and Auth0.
2021, Dec.
Laravel Passport does not sopport PHP 7.4. "psr/log" demands PHP 8. In case of PHP 7.4, use other solutions than Laravel Passport.
please help me,
I want the stateless authentication for Rest api for login api to to get the token from it by using guard in it.
You might consider using Laravel Lumen because laravel by default uses session state.
In lumen you can be able to authenticate a user by using the new Auth::viaRequest() method. Docs here: https://lumen.laravel.com/docs/5.2/authentication