Can someone assist me here, i have succeeded in setting up my passport on laravel 5.4 everything seems to work perfected. My question is once token is generated, am i supposed to save it for subsequent usage? i am just confused on the workflow. I am using password grant. I want to know how to pass token to another route that is making another call to another endpoint once token has been generated.
You append the token generated for each and every subsequent request that needs to be authenticated.In this case attach to the Authorization header of the request. Something like this:
Bearer eJ0eXAiOi.......
Related
When I need to do a front and back which speaks to each other with APIs, I do like this:
the user connects with their login/password
the back checks and if it is good returns a token to the front
the front stores this token in the localStorage
and for all future requests, the token is added in the form of Bearer
and for each request, the back checks the presence/validity of this token (middleware)
Perfect. Everything works.
Except that I read that storing the token in localStorage is not secure at all. And that it is better to use cookies. And this is precisely what Sanctum allows with Laravel. If I understand correctly, with Laravel Sanctum no more need for a token, everything happens with cookies between front and back. This is what I see with my different tests. I understood well?
I am disturbed by this.
I was reading document, and one question occurred. Why would we need to call this endpoint /sanctum/csrf-cookie to get CSRF protection when login?
I understand what CSRF is, and per my understanding, the practice that Laravel uses to prevent CSRF is to set a cookie xsrf-token on browser and then Angular or some framework would automatically attach the cookie to header as x-xsrf-token, and it's also called server side double submit as one of the practices to prevent CSRF
However, I just don't get why on Laravel Sanctum we have to manually call /sanctum/csrf-cookie before login. With Web guard, this protection is automatic after login without any manual work before login.
My question is what is the benefit or logic for calling /sanctum/csrf-cookie before login rather than automatically sending x-csrf-cookie to browser via response after login?
Anyone could help to further explain will be so much appreciated.
I am using Laravel as my backend together with Sanctum which generates personal access token for mobile users. For my mobile application I am using flutter.
To authenticate users they login with their username/password and get a personal access token in return. This works but requires a user to login every time they open the application again so I did what most tutorials suggest which is saving the token on the mobile device using shared preferences/secure storage.
Now comes the question how do you invalidate a user when you remove their token from the backend? On initial login it appears everything is still fine because like in most tutorial I check for the existence of a token. After that whenever I want to make a request which uses the token I obviously run into problems because it not longer exists on the backend.
Most tutorials/guide suggest saving the token and using that a reference to see if the user is logged in or not but this seems flawed because it gives the false impression you actually have a valid token.
My guess is this can be solved by always performing a heartbeat/ping action to check if the current token is valid and if not send them to the login screen instead of simply checking for the existence of the token.
Thoughts on this?
I can suggest a hack or trick here in every launch of the app you can send a request to an API to check if the user's token is valid or not and if it is valid then you can continue the app otherwise force the user to login and generate new token this way your app will be secure via server / API.
For this, you can store the user's secret token in the database and check it via HTTP API call and send a response from the API accordingly and check the response in app and do the next operation according to the response you get.
I don't know if this is a great way of doing this job but it is a kind of hack/trick to achieve what is needed.
Thanks
I am using Basic Auth ( Auth::onceBasic() ) in Laravel.
How can I generate the Token shown after 'BASIC' which is sent in the header which is automatically generated by PostMan.
I believe I need to send that token back to the user so he can login next time with that token in the header?
I wonder how can I return it back to the user from the code? In the screenshot below PostMan generates it by itself. I hope I have understood basic auth correctly. I know how to do it using Passport.
I have created a Laravel 5.4 App, which is a REST based API for serving out data about our inventory to customers.
I have implemented Passport based Authentication, and My customers create a 'Personal Access Tokens' and use that in their client requests. All of this is working fine.
I now need to meter the usage of the API to figure out which user, and which token (by Name) is making the request.
I am able to get the User by using $request->session();, but how do I get the name of the Token that is making the request?
Laravel passport searches for valid tokens in 2 locations:
the bearer token
a cookie
When boiled down, you could use this method to find the token you seek:
$token = $request->bearerToken() ?? $request->cookie(Passport::cookie());