I am using Guzzle from my Laravel application to CURL into another Laravel application.
The user database is shared between these apps and both use the same session table In a common database.
I want to pass the session from the first Laravel app (which users have access directly) to the nested Laravel apps (which users have access through guzzle request).
the first laravel app is a front that acts as a subdirectory or somehow similar to a reverse proxy, getting the user request and delivering the requested page via a making guzzle request and returning the response.
I have followed the instructions of this blog but due to the difference of user-agent and etc in the request of guzzle and user, it does not work.
is there any way to make the guzzle use an existing session from another laravel app and user agent?
Related
Super strange issue.
I have SPA Nuxt JS app and Laravel 8 API to power it.
I got the Sanctum to authenticate my SPA but here is the deal - on page load before you log in I am making 3 API calls to get some data to display. Now these three calls they all set XSRF cookies and they all create sessions in Laravel session directory.
After that it uses one of these sessions but I do not understand why the call to data endpoint would create extra session?
These are API endpoints in the API routing file, and do not have any unusual stuff there. Any ideas what could it be?
To my understanding I should not get any session for that!
I've dropped exact config I am using in description of related problem right here: Laravel API (Sanctum) + nuxt auth - weird cookies behaviour, I don't get it
Is there a way to protect visitors from directly accessing API URL through the browser in Laravel Sanctum without the user having to authenticate. I am building a quiz app and I want to block visitors from directly accessing the API URL through the browser.
In the documentation, it is stated that the user has to authenticate in order to protect API routes with auth middleware but in quiz app I want users to play even without having to authenticate.
I am building a quiz app and I want to block visitors from directly accessing the API URL through the browser.
[ .... ]
but in quiz app I want users to play even without having to authenticate.
If the gateway to your service is gonna be the API, you've contradicted yourself.
As for the concept itself, surely you can create an API which allows guests as well. I don't think you need Laravel Sanctum afterall, you could start with the original Laravel distribution.
I am researching for develop an API consumed application using laravel, laravel passport , lumen and AngularJS
I have 3 domains as follows
auth.dev - Laravel 5.4 + Passport oAuth server ( as a auth server )
api.dev - Lumen ( as a API seaver )
app.dev - php + angularjs ( single page app )
I can not properly configure those 3 together. I have setup auth.dev and it will successfully generate Tokens and I can use them from app.dev.
But my requirement is use 3 separate instance for API, Auth and APP
I tried to configure it via Lumen ( to validate Access tokens with auth.dev) but it is not working.
Is this possible or is there any suggestions to achieve this ?
I have recently been working on an implementation that is identical to this. It took a little bit of effort to make it work efficiently, but it's working!
Basically, if you care about validating the tokens you're receiving (which you should), you will need a way to forward the token that Lumen receives from client applications onto your OAuth service and return some details of that authentication to your Lumen app.
If you know that your Lumen API service is always going to run on the same machine, you could use some sort of RPC to save going over HTTP unnecessarily - I used a command line interface via a custom Artisan command in the OAuth service and a custom script to run it from the Lumen side which I call RemoteArtisan.
The other method is via HTTP, basically making your OAuth service provide its own very basic API endpoint. Something like this in routes/api.php should do:
Route::middleware('client')->get('user', function (Request $request) {
$helper = new App\FirstPartyClientHelper;
return response()->json($helper->getTokenOwnerDetails($request->bearerToken()));
});
My FirstPartyClientHelper is a simple class that parses the token to get the ID out of it and use that to fetch the resources from the OAuth DB that I want to send back to Lumen. You might not need to do lots of queries or send lots of data here, it could just be a simple pass/fail. Depends on your needs.
One thing I would recommend figuring out and sending back to your Lumen app though is what scopes were assigned to the token. You'll probably want to use these along with the various scope middleware available in Passport.
The only option here at the moment is to duplicate those middleware classes (CheckScopes and CheckForAnyScope) into your Lumen app and load them manually. But this is pretty straightforward as they're basic.
You may need to modify them so that they can see the scopes that come back from your OAuth endpoint through your Authenticatable class (typically the User model).
Either of these solutions are going to add some overhead to each request, so it's worth thinking about caching the result of this for some time on the Lumen end.
If you do that though, make sure it's not cached for a long time because it could allow expired tokens to still be considered as valid.
Alternatively, store the expiry time of the token somewhere in your cache and validate that against the time of the request to make sure the token hasn't expired.
Hope this helps.
I am creating a Restful server using Codeigniter, that will be accessed via a PhoneGap mobile app. I am not sure how to properly secure the API.
I am using this REST library: https://github.com/chriskacerguis/codeigniter-restserver
This post was helpful, but I have questions: Security PHP RESTful API
I setup codeigniter to store sessions in a table. I have secured using SSL.
Is a Session ID the same thing as a Token?
Do I need to set anything manually in a Auth Header? If so whcih side? On the REST server or in Angular?
I should point out that there are two facets to the app. One part behind a login, and one not.
Assign a token(random-string) to each user account. User should request all web services with a token.
Validate token on behalf of each user and then expose data.
I asked a question the right way to structure a project with Laravel 4. I currently am making an API (to support a mobile app) and a web app to serve as the backend.
1) What would be the best practice for this? Two installations (the web app would get data via the api (what I have done)? Using one Laravel installation with namespaces? One Laravel installation with folders?
2) I have make a custom auth driver for Laravel and got it working. In the return on login I return an API token which I need for subsequent calls. I understand that in Laravel, only the ID of the user is saved, how would I make the api token saved at well when Auth::check() passes? Some of this stuff is making me question if it is bad to use Laravel in this decoupled from the db setting because it makes Eloquent not an option.
I have 2 separate installations - one for API and one for web (which uses this API).
Don't bother with additional cost of +-50MB of another installation - separate them!
AUTH
On each request I set 'Access-Token' header on client side. This token is read then on API side with Header::get('Access-Token'). Then I store authenticated user just for this one and only request - API should be stateless (no user data in session, require auth on each request).
Among other things I also check Accept and Content-Type headers - my API only accept application/json and sports responses in application/json format as well.