Super strange issue.
I have SPA Nuxt JS app and Laravel 8 API to power it.
I got the Sanctum to authenticate my SPA but here is the deal - on page load before you log in I am making 3 API calls to get some data to display. Now these three calls they all set XSRF cookies and they all create sessions in Laravel session directory.
After that it uses one of these sessions but I do not understand why the call to data endpoint would create extra session?
These are API endpoints in the API routing file, and do not have any unusual stuff there. Any ideas what could it be?
To my understanding I should not get any session for that!
I've dropped exact config I am using in description of related problem right here: Laravel API (Sanctum) + nuxt auth - weird cookies behaviour, I don't get it
Related
I am working on a react native application for a website which is made in Laravel so all of its APIs are based on Laravel.
I am facing a problem of CSRF token when making POST request to the Laravel Backend. Every Time I am getting a response of Page is Expired.
I have done some research on the issue and found that CSRF tokens are generated by Laravel by default for security purposes. My question is how can I connect to Laravel API.
One solution which was suggested is to use JWT tokens but that's really not a feasible solution for me and I am not sure how to implement JWT Authentication in Laravel.
Another Solution which I have read is that whenever we visit a page made using Laravel then in window object window.csrfToken can be accessed which is the token I need for making the API calls. Is it true? and if it is then how can I get that in React Native Application (should I make a GET request for the website and try to get the token from there is it possible?)
One more solution I think is that we can bypass some routes in Laravel Middleware so that token is not checked.
I need some suggestions on the issue. Also need to know that above solutions are correct or not and which one should I use.
Thanks
I am using Guzzle from my Laravel application to CURL into another Laravel application.
The user database is shared between these apps and both use the same session table In a common database.
I want to pass the session from the first Laravel app (which users have access directly) to the nested Laravel apps (which users have access through guzzle request).
the first laravel app is a front that acts as a subdirectory or somehow similar to a reverse proxy, getting the user request and delivering the requested page via a making guzzle request and returning the response.
I have followed the instructions of this blog but due to the difference of user-agent and etc in the request of guzzle and user, it does not work.
is there any way to make the guzzle use an existing session from another laravel app and user agent?
I'm currently using Laravel 5.6 with the Laravel JWT library for a new web app.
I would like to store the JWT in a cookie without using a conventional session but there doesn't seem to be an easy way of going about this with the JWT library.
In my Auth controller I return the token in a cookie, but Laravel still starts a session which I don't want since I want the session inferred from the cookie.
I also went into Kernel.php and removed some of the Session stuff from the web middleware group but then that caused a runtime exception saying "Session store not set on request."
I've seen some hacked together solutions that were half implemented, but I would like hear some insight from anyone that has done this elegantly or felt like their solution was correct.
Thanks
For my purpose I determined that using encrypted cookies will suffice for the web application (using Redis as a cache), and then using JWTs for the mobile API.
I am researching for develop an API consumed application using laravel, laravel passport , lumen and AngularJS
I have 3 domains as follows
auth.dev - Laravel 5.4 + Passport oAuth server ( as a auth server )
api.dev - Lumen ( as a API seaver )
app.dev - php + angularjs ( single page app )
I can not properly configure those 3 together. I have setup auth.dev and it will successfully generate Tokens and I can use them from app.dev.
But my requirement is use 3 separate instance for API, Auth and APP
I tried to configure it via Lumen ( to validate Access tokens with auth.dev) but it is not working.
Is this possible or is there any suggestions to achieve this ?
I have recently been working on an implementation that is identical to this. It took a little bit of effort to make it work efficiently, but it's working!
Basically, if you care about validating the tokens you're receiving (which you should), you will need a way to forward the token that Lumen receives from client applications onto your OAuth service and return some details of that authentication to your Lumen app.
If you know that your Lumen API service is always going to run on the same machine, you could use some sort of RPC to save going over HTTP unnecessarily - I used a command line interface via a custom Artisan command in the OAuth service and a custom script to run it from the Lumen side which I call RemoteArtisan.
The other method is via HTTP, basically making your OAuth service provide its own very basic API endpoint. Something like this in routes/api.php should do:
Route::middleware('client')->get('user', function (Request $request) {
$helper = new App\FirstPartyClientHelper;
return response()->json($helper->getTokenOwnerDetails($request->bearerToken()));
});
My FirstPartyClientHelper is a simple class that parses the token to get the ID out of it and use that to fetch the resources from the OAuth DB that I want to send back to Lumen. You might not need to do lots of queries or send lots of data here, it could just be a simple pass/fail. Depends on your needs.
One thing I would recommend figuring out and sending back to your Lumen app though is what scopes were assigned to the token. You'll probably want to use these along with the various scope middleware available in Passport.
The only option here at the moment is to duplicate those middleware classes (CheckScopes and CheckForAnyScope) into your Lumen app and load them manually. But this is pretty straightforward as they're basic.
You may need to modify them so that they can see the scopes that come back from your OAuth endpoint through your Authenticatable class (typically the User model).
Either of these solutions are going to add some overhead to each request, so it's worth thinking about caching the result of this for some time on the Lumen end.
If you do that though, make sure it's not cached for a long time because it could allow expired tokens to still be considered as valid.
Alternatively, store the expiry time of the token somewhere in your cache and validate that against the time of the request to make sure the token hasn't expired.
Hope this helps.
I asked a question the right way to structure a project with Laravel 4. I currently am making an API (to support a mobile app) and a web app to serve as the backend.
1) What would be the best practice for this? Two installations (the web app would get data via the api (what I have done)? Using one Laravel installation with namespaces? One Laravel installation with folders?
2) I have make a custom auth driver for Laravel and got it working. In the return on login I return an API token which I need for subsequent calls. I understand that in Laravel, only the ID of the user is saved, how would I make the api token saved at well when Auth::check() passes? Some of this stuff is making me question if it is bad to use Laravel in this decoupled from the db setting because it makes Eloquent not an option.
I have 2 separate installations - one for API and one for web (which uses this API).
Don't bother with additional cost of +-50MB of another installation - separate them!
AUTH
On each request I set 'Access-Token' header on client side. This token is read then on API side with Header::get('Access-Token'). Then I store authenticated user just for this one and only request - API should be stateless (no user data in session, require auth on each request).
Among other things I also check Accept and Content-Type headers - my API only accept application/json and sports responses in application/json format as well.