Best practices in a laravel & vuejs application authentication and routing - laravel

I am going to build an SPA with Laravel and Vuejs.
Since this will be my first large application using this combination, I had some questions that I wanted to ask because I didn't find a clear answer:
1: Authentication. When searching on the internet I found a lot of topics about authenticating with a JWT token. What is the advantage of using such a token instead of normal authentication? If I authenticate in the "normal" way and check for auth()->check() in my application I have the same result no?
2: Routing. Since I will be using Vue-router, my application will have Vue and Laravel based routes. Does that mean that the Laravel routes are defined as API calls? And should they be in the API route group then? Or are they just normal routes that belong to the application?

JWT tokens have some advantages over traditional session base authentication. For example you don store session data on server and save server resources , jwt tokens are available in your request amoung multiple servers and so on...
For further reading check this article :
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
2.Yes you should use laravel routes as restful apis

Related

What is Laravel Sanctum supposed to be able to do?

To be honest, I don't understand the concept of Laravel Sanctum. Before there was Sanctum, people used JWT. That always worked very well. In other frameworks in the Node context, I only use JWT. I am very confused by the paragraph about the SPA Auth (https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication). It talks about Sanactum also using the web auth. Does that mean that if I log in via the web route (auth), I can also use the api route (auth:sanctum)?
Thanks! Max

Secured web application with API backend in Laravel

I've created a web application that uses the built-in authentication method for the web, once the user is authenticated he/she is presented with a dashboard page. At this moment Ajax calls to an API need to be made to fetch data for the logged-in user. What would be the correct approach to this to make it is secure?
As a next step, I would like to be able to use the API "stand-alone" as well, so a 3rd party could access the dataset through the API as well.
Right now I am looking into Laravel Passport as well as Spatie Permission package to help me with access control.
If you are using ajax calls in same domain it won't be problem with built-in authentication to give access to authorized users only, because tokens & sessions are accessible for laravel and you can get authenticated users by default.
If you want to make external api as well the best approach will be to use Laravel Passport and pass token in Authorization header as usual.
Hope this helps you

Laravel Passport Vs Laravel Sactum

Description
Currently, all my clients project was builded using Laravel Passport but recently I had read about the Laravel Sactum. It sounds similar to me.
Questions
I am getting really confuse? What are the main different between these two and in what scenario we should use each of them? Since we already have passport, what is the point of having Laravel Sactum? Any hints?
laravel passport follows oauth2 and is one of the implementations.
laravel sanctum provides a simple way for your authentication system for SPAs.
As you already used passport, there is no point to change to sanctum.
Sanctum is for the app that does not want to use the complex oauth2 flow.
To understand thing in dept
Article :https://divinglaravel.com/authentication-and-laravel-airlock
Notes: Laravel airlock(Old name) and Laravel sanctum(new name)
Youtube's Explanation: https://www.youtube.com/watch?v=LELn-3ZpH9I
My Summary (Benefits of Laravel Sactum)
If you are using spa(single page application, either vue, angular
or react). Need not to include the bearer token into the request. It
is automatically done after your first request to
/airlock/csrf-cookie. The whole idea is turn the stateless http to stateful http.
If we have a stateless application like mobile application or
others. We could easily create a stateless token using the following code.
$user->createToken(
'laravel-forge',
['server:create', 'server:delete']
);
Simplify maintenance part because programmer does not need to understand the concept of oauth2.

Generate api token for users in database laravel

I have a database of users that work with web login based on laravel sessions. Now I want to generate an api token for each of these users for an api login, how can I generate it? I have already migrated to the database for this new column but I need each user to have their api token.
I'd recomment you to use Laravel Passport. APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
If You need session mechanism then You should use Laravel Passport.
But if You are building traditonal stateless REST Api then you can use API Authentication

API Security for a Laravel+Nuxt.js project

I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.

Resources