I am implementing Laravel Sanctum API in my service but I am having some issues with sessions. Let me explain:
I need to save some data for each user who authenticates via token. Now, if the token doesn't exist but the session does, the Sanctum middleware routes still pass. I have read that the session comes into play if the token is not present, but this is incorrect because the token should be valid for the duration of the session. Am I doing something wrong?
Related
I just learn JWT on PHP. I'm a litle bit understand how JWT work on single page. When I implementating on multiple page (page to another page).
Is my implementation true if every user move to another page we have to fill HTTP_AUTHORIZATION with token (bearer code) and in the same time we generate new token ?
Thanks in advance
Conceptually, JWT is a bearer token issued to user after successful login using their username and password.
Normally for mobile app we set long expiry for a JWT token, while for a web app, we use the JWT refresh mechanism to avoid invalid API abuse by invalidating the old token and refresh with a new set of token without login again. Once the JWT token is expired, then will need to kick the user out.
For a mobile app, JWT can be saved in SharedPreference and use the same key for all API calls. Set it as an environment instead of page based, so that you no need to set it again every time in every page.
Have a read on this https://tech.justeattakeaway.com/2019/12/04/lessons-learned-from-handling-jwt-on-mobile/
I have implemented JWT in Laravel which is working fine so far, but I want to know that how to invalidate all tokens of a particular user when they change their password.
For Logout, I have written the following code
JWTAuth::invalidate();
Is there any way to invalidate all the token of that user?
I am creating a new rest API using Laravel 5.6. For API authorization, I have implemented Passport and it is working fine.
However, I want a system where anyone who wants to access any route of my API including register and login that requires token.
I am thinking in this way but not so sure how I can implement in Laravel.
I will issue one static token and will store into database.
I will encrypt that token and will provide to the client in my case
mobile app.
Mobile side the token I will store into shared preference so no one
will have direct access.
When mobile send a request to access any route of API, it has to pass the token in the header with the custom key
API will decrypt the token and match with the database one.
If it matches that will allow accessing the API.
Then later I may use the Passport token to add additional layer or security.
My question is,
How to implement this system in Laravel so I don't have to write code
for every request and all request pass through this validation?
I have read some tutorials and video tutorials and they explain how to create a api_token.
I know that I have to change the AuthController and I have to add a new field which it is api_token when a new user registers. I know that I have to add auth middleware in the routes, etc.
But what I dont understand is this...
1) A new user registers in the app.
2) The app create to the user an api_token automaticly.
but I wonder how this user will know which it is its api token because if this user turns off the computer and then it returns to the app how will this user know what it is its api token again? because he will not register again.
Thanks.
Have a look at Laravel Passport. Laravel Passport uses for instance an OAuth autherization. If you log in your application you get an access token and a refresh token. The access token is self explaining you basically get access to the application, the refresh token does refresh you access after a specific amount of time that value is typically written in a configuration file.
I started with an API inside Laravel with the JWT package, another Laravel frontend installation should be able to login to this Laravel API, but im not really sure how to handle this the right way.
My setup is like this:
Laravel API -> receives POST login -> returns a token and a user model -> Laravel frontend receives this data
But then what? How would I 'auth' the right way inside the Laravel frontend part?
Just set my own sessions and check that way? Any suggestions would be nice! :)
First you authenticate with the Laravel API, performing the POST request as you mentioned. This should provide you your JWT or access_token, along with a refresh token.
You then append this token to your requests in the Authorization header.
So the key is Authorization and the value will be Bearer <access_token>.
Finally your routes must have the correct middleware to require a valid token, for example the auth middleware.