Pardon me If I am wrong.
I am going to build a system by using Angular and Laravel API and these are some things about what I am doing.
I am using Passport and I am successfully able to do authentication.
I also want to do a CSRF verification because still I don't know where to store the token. If I store on cookies its vulnerable for CSRF (Thats why need to do a CSRF). What if I store bearer token on local storage ? Should I need to do a CSRF verfify ?.
How can I do a CSRF verify along with bearer token? (using web middleware)
Related
I am trying to understand how an auth in a spa context with a jwt token should be implemented based on a Register / Login / Logout process. I have been searching on the web and have implemented at laravel side tymon jwt but I am confused about next step regarding register form and login form.
Do I understand well that when my user register for the first time on my website, this is at this time that the JWT token should be generated and recorded in a cookie ? If yes, is it Vue or Laravel which should record the JWT token in a cookie ? I suppose Vue ?! If yes, in which manner?
Other question: what happen if the user clear the browser cache and eliminate the cookie containing the JWT form his computer ? Does he need to register again to get a a new token ?? I am totally confused about the process.
Getting a more detailed and step by step process would help.
Thanks
The rough sketch for a JWT authentication works like this:
Registration - (optional | If the user is not registered) User fills the registration form which is posted to the register route, User account is created and the api responds with 201 ( content created)
Login - User uses his credentials to login to the app. The credentials are verified and a JWT token is issued and sent back to the user.
Vue handles the JWT Token and stores the provided token into cookies ( you can use js-cookie to handle this, usually in Vuex state )
The token is used with every request sent forth to the server, server verifies the Token and then the request proceeds.
Logging out requests the server to invalidate the token and then removes the token from the cookies.
You can use laravel passport, Laravel Sanctum or tymon/Jwt for token management.
Is it possible to use Laravel Passport with web page authentication? I have a larvel project which is using both API and WEB sides. I am trying to integrate the login and authentication with passport.
The auth/token giving me the Bearer token. But how can I add the authentication middleware in the dashboard redirection after login?
I tried adding access_token key in cookie with the token value. And added
Passport::cookie('access_token');
in AuthServiceProvider.php boot() function. But still I am getting the error
{"status":"error","data":{"message":"Unauthorized"}}
Is it possible to implement my idea? If so please help on this.
I am not sure if I have understood you correctly, but the access token should be placed in the headers not as cookie:
Authorization: Bearer {token}
I use Laravel for a project. It is not a vue SPA, so no route used at all. The register, login and some other form inputs and outputs are made with modals using vue. For posting the form vars axios is used. For server side authentication laravels standard auth is used. But here is no other authentication like jwt. Should I use other auth types or would csrf be enough? Are there other suggestions?
Usually for web routes csrf token is enough secure or it has been so far. And it does:
Check if the request is a reading request (HEAD, GET, OPTIONS).
If so, skip the check. Match the token from the _token input or from the headers.
Add a cookie with the token to each request.
If you are using api routes then you can chose from Laravel passport which you can setup oAuth2 or you could build your own custom auth middleware using jwt tokens.
I am developing web API 2 services with authentication as bearer Token using oauth 2. I am not able to understand how authorization server create Token and revalidate that Token for subsequent request with that token. I also want to know that if I request token for same user name and password from different machine how server manage the token generation .
Regards
I have began building an application using React JS and Laravel 5.5. I have installed the Laravel Passport and have successfully managed to log my user in and out in my React JS app - but I have been told to look into using httponly cookies for security purposes.
In my working code, I have simply stored the access token in localStorage and sent it to the api using Authorization': 'Bearer ' + token in the axios headers, and this works perfectly. However, when I set a cookie using httponly I can't fetch the value of it (which I assume is exactly the point!) - using react-cookie (from npm), if I log cookie.loadAll() to the console then the only cookie I see is a new XSRF-TOKEN cookie, but not the accessToken cookie I set. So how do I go about sending this token to the api?
Since you can't read the httpOnly cookie from JS, when getting a new token from the backend, the backend has to send the token in the response body.
Browser session cookie usage and bearer tokens are different strategies of authentication (cookie based and token based).
In my opinion they should not be mixed.
Lavavel passport supports authentication with bearer token or with cookie out of the box (see condition at TokenGuard user)
You have to use Passport::cookie for this.
In this case you will be able to set cookie and use HttpOnly flag with other attributes to secure them.
Httponly cookie as bearer token doesn't make much sense. Having cookies httponly helps to protect you and the user against XSS attack as their not readable by javascript. They can be used e.g. for storing session information and are sent when the user do e.g. a page reload.
Setting Authorization header to 'Bearer ' + token is correct way how to sent token to the api. Before using token on the api server you should always check if the token is still valid.