First important information: I’m new to Laravel, so your patience is appreciated.
I’m currently migrating a framework of mine to Laravel and still in the early stages. I know that Laravel has it’s own database construction mechanism that is recommended to use the migrations and the Models, however, for my purpose, I’d like to use my own database that I use in other systems that I’ve built in the past. The idea for this system is to have a shared database, but operable through different tech stacks.
This is my current scenario:
Laravel 8
Sanctum 2.14
Frontend (Laravel):
I’ve built a very simple login page that has a controller and sends data (user and password) to my backend (Laravel). In the backend (different server), I grab the data and check if the data is correct. Being correct, I send a json response with some data, like:
returnStatus = true
loginVerification = true
IDCrypt = asdfasd4fa654sd54a (encrypted ID to grab in the frontend again)
Up till here, it’s working fine, as I wanted and very similar to my legacy systems.
My idea would be to get this response in the frontend, via auth token managed by Sanctum and use a middleware to check the token in order to let the user access some web routes.
I’ve watched some videos, but I’m only finding videos that use all the database mechanism that Laravel provides.
However, my intention would be to generate the token with data from my own table and data objects I created (without any existing Laravel´s models).
Is there a way for me to do this?
How would I set the token in the backend and include in my response?
How would I grab the token in the frontend in a secure way?
Lets say you have a model LegacyUser and this is your existing authenticable entity.
In this model simply override methods defined in the Laravel\Sanctum\HasApiTokens trait. Specifically createToken and the tokens relation for your use case by the sounds.
Then you can create tokens anywhere like usual with
$user = LegacyUser::find( $id );
$token = $user->createToken('token-name');
Then us the token as usual.
NOTE: if you're also changing how the tokens are stored/retrieved you'll need to set the token model, docs cover that here: https://laravel.com/docs/8.x/sanctum#overriding-default-models
If you want to avoid using authenticable entites (ie, no laravel models) entirely that's going to be more complicated and Passport might be a better shout, as client_credentials dont need to be associated to a user entity.
Alternatively: Write your own middleware that is compatbile with your existing auth process.
Related
We built an API (which currently contains just a single route) to give access to specific data to another company we are working with.
The API calls this other company performs to our endpoint are server-side.
The API has been created with Laravel 8.
To give more context to the question, our system gathers coordinates that are sent by our GPS devices, and we want to give access to the coordinates of a specific set of GPS devices to the other company.
The coordinates are stored in our database, and the API route is just doing a SELECT query which is only allowed to access the data of these specific devices.
Searching around the internet, I saw that Laravel Sanctum can help providing API tokens to consume an API. My question is, can we use Laravel Sanctum for the current workflow? Is it suitable?
The examples on the documentation demonstrate we can do something like this:
$user->createToken('token-name', ['server:update'])->plainTextToken;
But, in my case, there is no user for the other company. If Laravel Sanctum is ok for that, should I create a specific user representing this company? or maybe another Model (and database table) just for companies? Even if we only have one in our case.
A token can be generated for any model that has HasApiTokens trait.
Since you need it for authentication purpose, I think the easiest solution is to create a user that represents the company and generate a token for that user.
This way, if the user call the API with a correct token, Sanctum will authenticate the user and you can get the user using Auth::user() in the API action method.
I want to create a new Laravel 5.8 based application using the database of an old PHP based application.
The problem is: My previous project uses five tables to store user-related information and all of those tables are used during login (to set session data).
Those tables are user_account, user_role, user_partner_portal, user_access_control, and user_control_access_right.
The relationship between those tables are in the below images:
By default, laravel uses users table to handle authentication and I don't know how to customize Laravel login system so that I can use all of those five tables during login to authenticate a user and also store the user-related information into the session.
I am primarily using CodeIgniter for all of my projects and it is very easy to do that authentication using CodeIgniter. But I am new in Laravel, so I can't figure it out.
So my question is: Is it possible using laravel to design such an authentication system? If yes then how?
TIA
So laravel uses LoginController class for the login. Inside there you are going to find the function authenticate.
Laravel put's the predefined logic there but if you want to make it really custom like update all your tables etc etc you are free to do it.
You can even create your own class and change the login route to point to your own controller. Basically you can do anything you like.
I have written an api for a project that uses, oauth2 to authenticate users, and lock down that api to only people with an access token, and it works fantastically well, we have a route group that looks like this,
Route::group(array('prefix' => 'api', 'before' => 'oauth'), function() {
});
The problem I am now facing is that scope of the project has changed and we need to extend the api a little bit. Basically at the moment, the API is used to create projects, and a project a can have a team that can CRUD a project.
The scope has changed now so that a project can also have client user who can follow a unique link to monitor the progress of the project, and update certain aspects of the project.
The problems are 2 fold,
1) You cant do anything on our API without an access token, so even a GET request for data to build the page would be turned down for a client user.
2) To get a access token you need a username and password. The key thing for a client user is that do not need to login, they should be able to just get a unique URL in email, and then load the project.
I figure that creating a custom grant type would be the best solution is that correct? If that is correct does anyone have any guidance on creating one?
If that is not the best way what other options do I have available to me?
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
While building my SPA with angularJS, i came to the point where i want to implement user authentication in my angularJS website. However, i have no idea where to start and what the best practices are.
Basically i have a sure that can have one or more roles. I've looked for examples so i could get a basic understanding of how to handle this properly, but so far i've only came across examples that are very simple or are not so secure (like this).
So my question is, how to I implement a authentication service using REST (or custom API urls) to authenticate a user, and then display the user information on the page using angularJS, while also ensuring best security coverage by using (for example) the csrf token from Laravel?
Thanks in advance,
Nick van der Meij
I'm making an AngularJS app and an API RESTful made with Laravel 5 for the backend, and my approach for the authentication was:
Installed jwt-auth. Basically extends the Auth model of Laravel adding authorization with tokens.
Added simple role package to laravel. I used permiso. Has multiple roles/user and permissions/role. Very simple.
Added jStorage to frontend. (you can use AngularJS module instead).
So the steps are:
Frontend send user credentials (email and pass).
Server checks, jwt-auth makes a token to that user and send it backs.
Frontend save the token on the browser storage (no csrf needed with this approach).
All next calls to the API are made with Authorization: Bearer header (or with ?token=... )
I like the same approach that #neoroger takes using JSON Web Tokens with jwt-auth. I used the Satellizer package for storing the token on the front end and to send it along with each request to the API afterwards.
I put together a couple tutorials that show how to implement the two packages if you are interested:
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/