I am creating a laravel application using two laravel applications. The first laravel application will be used for handling API requests, the second one will be used for making a request to the first laravel application. The second application will also have a login form. On the submit of the login form, I am sending the form data to the first application which in return gives back the user data. Now what I want is to log the user into the second application without using its own database(second application database).
You can use JWT for authentication purposes.
In both MS you must use the same Signing Key
https://jwt-auth.readthedocs.io/en/develop/laravel-installation/
Related
I have a monolith web application powered by Laravel. Users access different forms and some of them have button on them that executes Ajax call to the back-end (example relative endpoint: api/external/get-current-temperature). A back-end function that handles the request than connects to an external service via API and obtain data, writes some log in database and pass data back to requestor (front-end user). But in order to execute any API call it has to authenticate and obtain a Token.
Question:
I have multiple users that can potentially request api/external/get-current-temperature at the same time. How should I handle authorization/token? Should I store it in database and check its expiration time before requesting a new one or what? How would I refresh it? - The external provide has no specific function that could be utilized to verify token. But I know for sure the token is valid 60 minutes.
The users of your application never have to be mixed up / mistaken with your foreign API. You can and should provide you own mechanism (i.e. tokens) to authenticate any users. If users are authenticated the external API is used, else an error-message could be provided by your application.
As users also fill several different form it's quite possible that you save some user-data. If every user has own authentication credentials it's easy and much more secure to provide only the user's own data. If you use for every user the same authentication token in your own application you might get the situation that one user can see data from another user.
So see it like this:
You / your application is the user of the external API, therefore you need only one authenticqation token for it. Your application users use the external API as a service and as that you should provide it in your app. The data though that are provided to the service might differ from user to user.
Example payment application:
The API is always the same, you as developer get an API key, but the payments are for every user of your application differently. As developer you might never even able to see, store or track the user-data that are exchanged between the foreign service and the user, but your app serves as hub and provides perhaps also some products or services that are considered in any payments.
I am creating a new rest API using Laravel 5.6. For API authorization, I have implemented Passport and it is working fine.
However, I want a system where anyone who wants to access any route of my API including register and login that requires token.
I am thinking in this way but not so sure how I can implement in Laravel.
I will issue one static token and will store into database.
I will encrypt that token and will provide to the client in my case
mobile app.
Mobile side the token I will store into shared preference so no one
will have direct access.
When mobile send a request to access any route of API, it has to pass the token in the header with the custom key
API will decrypt the token and match with the database one.
If it matches that will allow accessing the API.
Then later I may use the Passport token to add additional layer or security.
My question is,
How to implement this system in Laravel so I don't have to write code
for every request and all request pass through this validation?
I am developing a backend for mobile app. I have developed a user authentication module where, the app will be sending the username and password as basic auth and if the user is authenticated I will sent back a jwt token which can be used in the rest of the requests.
On the client side, once after a user is logged in, the app shows him a feeds screen which contains some data.
Now do I need to seperate these two APIs? Like once a user is logged in successfully, he will be sent back the jwt token and well some user details. Should I sent the data which is required for the dashboard screen as well as a response for login? In that the case the app will get datas in a single api request (login) and doest have to make another call to my API.
Is this a right approach?
Ideally it should be kept seperately but I think that depends. If making that single request is (and will ever be) the only thing the application does, I see no reason for making 2 requests. You can simplify things by making just 1 request.
But, if your application is going to be extended or if its already got other features i think it is best to keep them seperate. Since then you'll have more flexibility with your application.
Yes ,You should separate those two authentication and dashboard REST API as-
It could be possible that there should be more client app using your Rest API in future and they may not require dashboard data.However you can have mechanism to share user detail in authentication API itself as you are anyway authenticating user .However share access token in authentication api along with it's expiration timestamp .Some of Client app which are using your REST API might have use case of autologout from app based on accesstoken get expire.In such case expiration time would help.
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I am building an iOS application and I need to be able to make authenticated requests to a php 5 application for various bits of data. The php 5 application is using codeigniter framework and URLs like https://example.com/controller/function to, for example, authenticate users via twitter... and once authenticated, stores the authentication in a secured cookie named "auth.""
What I want to know is how to authenticate my users from the iOS/iPhone application, persist the authentication token and send it along with future requests to the codeigniter application?
The big picture is that you need to implement something like an api controller in the code igniter app. This controller should have an "auth" method. At some point, you're going to want to pass a hash of the twitter cookie to the ios app. Then, for each subsequent call to the api controller, send along the hash, your code igniter app will associate the hash with the properly authenticated user and allow it access. If anyone else tries to access the api calls, they will either fail to do it, and be denied, or they will supply a guess and be denied.
So from your ios app's perspective, all its subsequent calls (after authentication) will look like:
https://example.com/api/<function name>/<session hash>