I am working on a react native application for a website which is made in Laravel so all of its APIs are based on Laravel.
I am facing a problem of CSRF token when making POST request to the Laravel Backend. Every Time I am getting a response of Page is Expired.
I have done some research on the issue and found that CSRF tokens are generated by Laravel by default for security purposes. My question is how can I connect to Laravel API.
One solution which was suggested is to use JWT tokens but that's really not a feasible solution for me and I am not sure how to implement JWT Authentication in Laravel.
Another Solution which I have read is that whenever we visit a page made using Laravel then in window object window.csrfToken can be accessed which is the token I need for making the API calls. Is it true? and if it is then how can I get that in React Native Application (should I make a GET request for the website and try to get the token from there is it possible?)
One more solution I think is that we can bypass some routes in Laravel Middleware so that token is not checked.
I need some suggestions on the issue. Also need to know that above solutions are correct or not and which one should I use.
Thanks
Related
Super strange issue.
I have SPA Nuxt JS app and Laravel 8 API to power it.
I got the Sanctum to authenticate my SPA but here is the deal - on page load before you log in I am making 3 API calls to get some data to display. Now these three calls they all set XSRF cookies and they all create sessions in Laravel session directory.
After that it uses one of these sessions but I do not understand why the call to data endpoint would create extra session?
These are API endpoints in the API routing file, and do not have any unusual stuff there. Any ideas what could it be?
To my understanding I should not get any session for that!
I've dropped exact config I am using in description of related problem right here: Laravel API (Sanctum) + nuxt auth - weird cookies behaviour, I don't get it
I'm currently using Laravel 5.6 with the Laravel JWT library for a new web app.
I would like to store the JWT in a cookie without using a conventional session but there doesn't seem to be an easy way of going about this with the JWT library.
In my Auth controller I return the token in a cookie, but Laravel still starts a session which I don't want since I want the session inferred from the cookie.
I also went into Kernel.php and removed some of the Session stuff from the web middleware group but then that caused a runtime exception saying "Session store not set on request."
I've seen some hacked together solutions that were half implemented, but I would like hear some insight from anyone that has done this elegantly or felt like their solution was correct.
Thanks
For my purpose I determined that using encrypted cookies will suffice for the web application (using Redis as a cache), and then using JWTs for the mobile API.
i am making a web app use with react 4 and lumen to backend api. i made a login form use on username and password but i don't know how can i logged the user and kick out from the pacge if the user is not logged in.
I looked for many login example for the react but almost all of it use redux and i a newbie on this so it is very complex for me.
I want to learn this logic that means how can i use and why ? how it can be stored secure? how can protect to user like php session in react. how can i use auth middleware like in laravel.
could i use session in react ? is it possible?
no one make an app about i told. i don't want to use express and nodejs. i am using php server on backend ?
please help me
React will be a different server same like php server, you will communicate through REST API Rest is stateless protocol so you cant use php session inside react application, recommended way to solve this issue is introduce JWT in backend Use jwt-auth this reference for that.
I am researching for develop an API consumed application using laravel, laravel passport , lumen and AngularJS
I have 3 domains as follows
auth.dev - Laravel 5.4 + Passport oAuth server ( as a auth server )
api.dev - Lumen ( as a API seaver )
app.dev - php + angularjs ( single page app )
I can not properly configure those 3 together. I have setup auth.dev and it will successfully generate Tokens and I can use them from app.dev.
But my requirement is use 3 separate instance for API, Auth and APP
I tried to configure it via Lumen ( to validate Access tokens with auth.dev) but it is not working.
Is this possible or is there any suggestions to achieve this ?
I have recently been working on an implementation that is identical to this. It took a little bit of effort to make it work efficiently, but it's working!
Basically, if you care about validating the tokens you're receiving (which you should), you will need a way to forward the token that Lumen receives from client applications onto your OAuth service and return some details of that authentication to your Lumen app.
If you know that your Lumen API service is always going to run on the same machine, you could use some sort of RPC to save going over HTTP unnecessarily - I used a command line interface via a custom Artisan command in the OAuth service and a custom script to run it from the Lumen side which I call RemoteArtisan.
The other method is via HTTP, basically making your OAuth service provide its own very basic API endpoint. Something like this in routes/api.php should do:
Route::middleware('client')->get('user', function (Request $request) {
$helper = new App\FirstPartyClientHelper;
return response()->json($helper->getTokenOwnerDetails($request->bearerToken()));
});
My FirstPartyClientHelper is a simple class that parses the token to get the ID out of it and use that to fetch the resources from the OAuth DB that I want to send back to Lumen. You might not need to do lots of queries or send lots of data here, it could just be a simple pass/fail. Depends on your needs.
One thing I would recommend figuring out and sending back to your Lumen app though is what scopes were assigned to the token. You'll probably want to use these along with the various scope middleware available in Passport.
The only option here at the moment is to duplicate those middleware classes (CheckScopes and CheckForAnyScope) into your Lumen app and load them manually. But this is pretty straightforward as they're basic.
You may need to modify them so that they can see the scopes that come back from your OAuth endpoint through your Authenticatable class (typically the User model).
Either of these solutions are going to add some overhead to each request, so it's worth thinking about caching the result of this for some time on the Lumen end.
If you do that though, make sure it's not cached for a long time because it could allow expired tokens to still be considered as valid.
Alternatively, store the expiry time of the token somewhere in your cache and validate that against the time of the request to make sure the token hasn't expired.
Hope this helps.
So I'm building an API for a client. I decided to use Laravel 5 everything works fine except for posting data. I looked online for answers and they all said to include the laravel {{csrf_token()}} function; however, my angular app is a completely separate app in another server than the laravel API. what are some best practices for me to fix this issue?
You can disable the csrf for that page and add basic auth (or any API authentication) instead.