Building API backend in Laravel for React.js SPA and React-Native mobile app. Previously I'd use Laravel/ui auth system but now when I'm doing SPA over APIs it's not quite simple anymore so I have issues of developing the authentication.
Saw many tutorials and forums but most of them do the most basic hashed password + token. But doing just username check then password verification check and generating a token seems rather unsafe.
What are best practices for actually doing user authentication for APIs? Or is there some package to ease things so I don't have to reinvent something that is already hard enough?
Here are some:
JWT
Laravel Passport
Laravel Sanctum
In general, checking the username and password matching doesn't have to be unsafe if you implement a good password validation policy (Checking numbers, uppercase, lowercase). But if you're really have high security requirements for your application you can implement 2FA (Two Factors Authentication).
Laravel Fortify can help you with this.
Related
I have a scenario, we have an PHP based website through which the users login using credentials stored in a database. Now we have another SPA website with .NET CORE as API layer.We don't have an option of having a central authentication server like Azure. If I want to let the users of SPA to access the website since they have already been authenticated in PHP, What should I do? Can PHP generate a JWT to pass it to API? How does that JWT then gets to SPA and how do I validate it? Please be kind as I am a newbie to website programming.
Json Web Tokens are a very specific format for a Bearer token. There are protocols like OpenID Connect that provide more structure around the login and trust process but at their heart, JWTs are just BASE64 encoded json with a verification hash.
You can roll your own SSO with JWT but as with everything in security, rolling your own comes with significant risks of making a bone head mistake and compromising your security. So research research and research some more if you take this route.
I did a very similar thing but stayed purely in the .net world. I used a .net library to build the JWT (https://learn.microsoft.com/en-us/previous-versions/visualstudio/dn464181(v%3Dvs.114)) and ASP.NET Core Identity to handle verification of the JWT (https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer) so I didn't write the code to actually generate the JWT. There is also only SSL connections made between the servers so some of the risk of the token getting sniffed is mitigated.
There are libraries for PHP to generate JWT or you could stand up your own JWT token provider in any language.
There also may be the possiblility of finding an OpenId Connect provider that could hook into your existing database. Identity Server 4 is one for .net but there may be one to be found in the PHP world. This introduces some overhead but does solve the problem of not having the ability to have a third party OpenId Connect provider.
Its not too terrible but security is one place where you wnat to be absolutely sure you get things right.
Authenticating from another server is SSO. There are lots of ways you could do this, but SSO protocols like OpenID Connect and SAML are specifically designed for what you're trying to do.
However, those protocols are anything but simple. You should try to see if you can find existing libraries to have your PHP application act as an Identity Provider (IdP), and your SPA to act as a Service Provider (SP) using the same protocol.
An idea that's a stretch - you didn't explain WHY you can't use a central authentication server. You might consider something like Keycloak (there are other options - that's the one I've used), which you can self-host, and can serve as either an IdP or an SP using OpenID-Connect or SAML 2.0.
You definitely shouldn't build this from scratch on your own (unless this is a hobby project). Authentication is full of security pitfalls that can trip up even the most experienced programmers.
I am developing a web app using Laravel, But I have to integrate the mobile application in the future. Now I want to ass API Authentication passport. I am a little bit confused how passport API handle multi auth system form multiple user and permission systems. Currently, I am using Laravel default auth to handle user. Is there any library for Laravel multi auth using API Authentication passport??
The thing you have to understand about Passport is that it is nothing more than a Laravel wrapper of the oAuth2 framework, specifically this implementation: https://github.com/thephpleague/oauth2-server
As such, you must understand how the different oAuth2 grant types work. I recommend reading up on oAuth2 to familiarize yourself with the concepts (I personally found this site to be the most helpful for understanding the different grant types: http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/).
Specifically to your question, take a look at Password Grant Tokens (https://laravel.com/docs/5.6/passport#password-grant-tokens) for use in a mobile app. Once you have your token, Laravel handles all the Authentication behind the scenes and you can use Auth::user() as you would normally, assuming you have Passport set up and configured correctly; the user is tied to the token and is independent of any other token and any logged in user.
As for permission systems, Passport uses scopes (https://laravel.com/docs/5.6/passport#token-scopes) which is a handy way of limiting what routes your tokens have access to. Aside from that, permission management for the Auth::user() is the same as any other user using your application.
EDIT:
Passport scopes are used to lock down routes, so they can be used. However, Passport is only concerned with authentication (ie, is this user valid) and NOT with authorization (ie, what can this user do). How you authorize users to do different things is 100% independent of Passport and is up to your web app.
We are currently developing a mobile application and a RESTful API in Laravel 5.6.
I have a question with regard to Laravel Passport, since I have seen some tutorials but I do not understand much what kind of authentication I should use for my RESTful API.
For now we are using "Password Grant Tokens".
Questions
Is it correct to use "Password Grant Tokens" for the authentication of a mobile application?
When Laravel Passport is installed it automatically generates 2 tokens. It is correct to use only these 2 tokens for all my users of the application or I must generate a token for each user.
I hope and you can help me.
Regards
Laravel provides routing for applications in general with their user login/register method.
However; My application is not able to take advantage of the CSRF token and sessions as it's View is powered by Phonegap so i'm forced to use another method of Authentication to ensure all requests from the Phonegap app to the Laravel Routes/Controllers are secure.
Is Laravel passport suitable for this or is OAuth2 used for something different? I just need a bit of guidance as i'm quite new to this method of authentication.
Laravel Passport or oAuth2 for that matter is used to authentic clients (mobile apps or web apps like in your case) to securely use APIs to access data.
So yes Laravel Passport is used to authenticate clients but the way you can use it in your project entirely depends on your exact requirements because if you are just planning to submit forms then you can still do it without using csrf tokens or latsbrl passport or oAuth2 but if you want to build a secure way of allowing tour clients/users to submit and channel data to your backend then yes you should use Laravel Passport.
Laravel 5.3 has a slight challenge interms of implementing laravel passport for APIs and to help you with that i have already written a detailed setup and usage write up here Laravel's 5.3 passport and api routes.
Let me know if you need any help as I have been using oAuth2 and laravel passport recently in almost all of my projects.
I searched for a good time on Google for a Authentication lib for Slim framework but all that came up was single user based authentication with BasicHttpAuth. What are my alternatives here apart from implementing my own auth.
Apart from hashing passwords, I'm not very good with sessions well I know how to work with them but keeping sessions secure is another thing.
I'm currently writing a library to handle that now, but it's in early alpha not yet ready for use. In the meantime, you can refer to this project as an example: https://github.com/jeremykendall/flaming-archer.
Pay special attention to the login route, the Auth DbAdapter, and the Auth middleware.
It uses an array of URIs to secure certain routes, in this case just the admin group of routes.