Short version
Do we need GuzzleHttp to redirect to local POST route? Can't we do this directly using redirect()?
Long version
Following this Laravel tutorial about using Passport authentication, the presenter talks about a way of hiding client_id to increase security (check at around 11:45 in the video).
The idea is to expose a new wrapper route that accepts only username and password fields and then the controller injects client_id on the server-side and makes a new call to Passport's original login route. This call is made using GuzzleHttp client. Response of the call is then returned by the wrapper route to the caller.
My question is: Do we really need to install and use Guzzle? Can't we redirect to Passport's login route using redirect() or some other built-in Laravel function?
You need Guzzle to make a HTTP request so that you can modify the response before sending it.
You will not be able to hide any data using redirect() because it will just tell the browser (client) to use the passport route directly.
To avoid making the HTTP a call you could get your route to run the code that the passport route runs and then modify the response that is generated. Making a local HTTP call should not be a problem though.
Related
I'm building the backend with laravel and then using Vue as front-end. Data is accessed over api calls using axios. Now I have this relatively simple task but I can't seem to find the proper solution. I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use.
Things I have tried:
Using passport to protect my routes and then use passport's CreateFreshApiToken middleware. Protection works fine, unauthorized users are not able to access the routes, however I don't get laravel_token in my cookies and therefore I can't get access to that route if I'm not logged in.
Use passport's client credentials grant access. Works fine and the way I want it to work but doesn't really make sense because if I hardcode the client_secret - anyone can access it and then use it to access protected routes. If I make a proxy-like solution, to call a controller method, which would issue a valid token and thus not exposing client_secret to front-end but then anyone could just call that route which issues the token and it would be pointless once again.
Apparently the answer is pretty simple and I was overcomplicating things. I don't know if this is the right/elegant way to do this but basically. If you don't need your api to be accessible from other applications (which I didn't) we can just put routes in web.php instead of api.php. This will ensure that web middleware is used and so it will use the basic csrf token validation, which is totally sufficient for protection against outside requests. You can also leave the route in api.php and just use web middleware on that route. The outcome is exactly what I needed - application is getting data over a route without any need to login AND that route is not available over postman or anything else.
Most of the requests like ChangePass, Create Blog, Update Blog and etc. are done via AJAX. I've decided to make API controllers that handle every AJAX based request that the user is sending.
Should I use Passport as well because of the API calls?
What's the best way to authorize every registered/logged user to make AJAX based requests, without they have to authorize themselves manually?
If you make those calls from a page which is already authenticated with Laravel adding Passport is not needed, just add csrf token as documentation explains, https://laravel.com/docs/5.7/csrf#csrf-x-csrf-token.
Passport is needed if your site doesn't authenticate against Laravel, like if you have separate NodeJS based client site and Laravel is acting only as an API backend.
After running an API call, in my controller, I'm trying to get the cookie value like this:
Cookie::get('gtdk')
It returns a empty value, although the cookie was already set in the browser.
Do I need to pass the cookie value as a parameter in the ajax call?
EDIT
It is also happening in a WEB route call - the cookie is not there when trying to read it in the Controller
Ok, so laravel encrypts the cookie names.
As the cookie was set using Javascript in the frontend, I could not read it by using Laravel methods.
Therefore, I've used it using PHP standard:
$_COOKIE['gtdk']
Another option is adding an exception for that cookie name in the the middleware.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question
I'm having trouble authenticating users via Vue 2.0.
In Vue I have a form in which the user enters all his data and submits it via POST to a Laravel (web route) endpoint.
Then the user is created in the UserController method with the supplied data and I'm stuck at this point as I don't manage to authenticate my user after creation and redirecting him to some route (other page).
User creation goes fine...
Can someone explain me rapidly how it should work? (as I understood that I can't redirect from the controller as the data is POSTed via an ajax call).
What's the "right" way to do this as I'm afraid I'm completely mistaken :)
Thanks in advance for your help.
You would have to perform the redirection at the front end script after receiving the response from the controller method.
This is my thought as a possible solution for you:-
The authentication can be done in the controller following the creation. The controller method then need to return a JSON response indicating success.
Note: Laravel 5.3 ships with pre-built authentication controllers. RegisterController handles user registration.
The Vue script need to process the response i.e. if success, redirect to somewhere or if failed, prompt a message.
Cheers!