I have created a Laravel 5.4 App, which is a REST based API for serving out data about our inventory to customers.
I have implemented Passport based Authentication, and My customers create a 'Personal Access Tokens' and use that in their client requests. All of this is working fine.
I now need to meter the usage of the API to figure out which user, and which token (by Name) is making the request.
I am able to get the User by using $request->session();, but how do I get the name of the Token that is making the request?
Laravel passport searches for valid tokens in 2 locations:
the bearer token
a cookie
When boiled down, you could use this method to find the token you seek:
$token = $request->bearerToken() ?? $request->cookie(Passport::cookie());
Related
I am currently using a API to validate Login Credentials.
I have gotten to the point where I am sending username/password correctly.
This API will return a bolean, depending on if those credentials are correct.
Along with the entire user's information, including their address etc.
How can I correctly store this into Laravel Auth, so I can use Auth::user etc in blade?
I do NOT have Database access, only API access to validate user login details.
I cannot create a local - Laravel database, as this application has to be completely API based.
I am using Guzzle to query the API.
You should try using JWT for authentication, implementing your own API Authentication can cause some security issues if not done right.
Also JWT for Laravel already has support for Laravels Authentication system
I have been created PWA with NuxtJS,
then I'm going to use sanctum package, but I don't want to request to the typical Laravel /login route, because I have a customized api /login route which authenticates users with OTP, not by password!
So I'm wonder how can I use sanctum in this situation??
You can use Sanctum's token based authentication to achieve this. All you have to do is add the HasApiTokens trait to your authenticable model and issue new tokens for it on a successful login. So you would have a route which will accept phone number or email and perform a login action. This would trigger the application to send OTP to the user. You have to store the OTP somewhere on the system. Then create another endpoint where user's can send back the OTP they received. This route will then check if the provided OTP matches the one on the system and issue a token to the user.
$token = $user->createToken(<provide-a-token-name>);
Make sure to send back the plaintext token to the user using the plainTextToken function on the token instance. User's will need to add this token to requests as a bearer token in the Authorization header.
Is there any possible way to generate access Token so that when anyone
tries to retrieve data from the API they must pass the token as header
to get access to that
I have been searching for it but it every website is showing this->
$user = Auth::user();
$success['token'] = $user->createToken('MyApp')-> accessToken;
There won't be any user for this purpose, When the other website will hit this api with valid header it will atomatically send all the data to that device .....
can anyone help me with this any help would be highly appreciated ....
Why dont you create a database called token and store multiple token strings.
Then, whenever, a request hits the server it checks for that token is present or not in the https header.
This way you can create multiple tokens and share it with your API partners. However, this is always public so you might want to add security features on it.
Since you dont have users, there will not be a two way handshake such that you will have to keep sending same token on all requests
So my proposal would be use of API Secret keys.
Steps:
Store api keys in database tables
Send API keys in http headder
As soon as the request hits the server check if token is present in the header
IF token is present check if the token matches database records
By the way without a user the api token is not that secured.
I have a Laravel 5.5 Application that's using the session based auth out of the box. On some of these pages I have react components that need to get/post data from/to an API.
What is the best practice for handling this? Do I simply hide the API endpoints behind the auth? This would work but should I be using Laravel Passport for this instead?
I've had a play with Passport and it seems that this would work but I don't need users to be able to create clients and grant 3rd party applications permission etc. There is just the first party react app consuming the data from inside the laravel application (view).
From my initial experimenting with it, it seems I'd need to have the login call made first to receive an access token to then make further calls. As the user will already be authenticated in the session is there an easier way?
I'm not sure if Passport is intended to be used for this purpose or not. I'd rather take the time to get it right now as I'd like to get the foundations right now if the app scales.
You can proxy authentication with Passport. Using the password grant type users would still log in with their username/password, then behind the scenes make an internal request to Passport to obtain an access token.
Restrict what routes are available when registering in a service provider by passing in:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forTransientTokens();
});
That limits access to personal tokens and refresh tokens only. A client will be created when you run php artisan passport:install.
Setup a middleware to merge the password grant client id and secret in with the request, then make a call to the authorization endpoint. Then it's just a matter of returning the encrypted token and observing the Authorization header for requests to your api.
Basically I have an api /mobileapp/register which calls a controller to register a customer on my system. I am trying to use Laravel passport to generate an access token for the non authenticated user but I cannot understand how it will work. Basically I need to allow /mobileapp/register to be accessed securely whether using an access token or something secure. How can we achieve this?