So far I have created a database with
user_id,token.
It stores all the logged in user's token.
I have fetched all the tokens from database by user_id. Then loop through,
JWTAuth::invalidate(new \Tymon\JWTAuth\Token($token->token));
Its not working.
Third party package: Tymon Laravel JWT
How to achieve this functionality?
Just adding here the comment of Harpal singh.It solved my issue.
"you can create a middleware to check if account is deactivated then add
JWTAuth::invalidate(new \Tymon\JWTAuth\Token($token->token));
to invalidate the user. By doing this if deactivated user trying to access routes, he will not get access."
After long time for trace the source code. I found this works.
JWTAuth::manager()->invalidate(new Token({YourToken}))
Related
I just installed Passport and added Passport::routes() to my serviceprovider. It gave me these routes /oauth/token POST, /oauth/tokens GET, /oauth/token/{Token_id} DELETE.
I am using Password Grant Tokens for authentication(https://laravel.com/docs/5.6/passport#password-grant-tokens)
I ran the POST request to make a new token and it created the token just fine. But when I try to run the GET to see all the token, it returns an empty array. I have around 10 tokens already generated in my DB.
Shouldn't I be getting a list of all the oauth tokens that's stored in the database?
If not, Is there a way to index all the tokens for admin use?
The GET /oauth/tokens route returns all tokens for the currently authenticated user only, not all users.
To get all tokens, with their associated users, you can use the following.
\Laravel\Passport\Token::with('user')->get()
I'm starting to learn the Laravel passport API. I tried to use my tokens and it works fine.When I revoke the specific token it works fine too, it shows the proper output that says
{
"message": "Unauthenticated"
}
But when tried to use the token that is expired 1 day ago. It still authenticated which means doesn't do the same message when I put revoke on it.
I'm having the same problem in this thread:
https://laracasts.com/discuss/channels/laravel/passport-not-erroring-on-expired-token?page=1
I'm thinking if there's another or tricky way how to check the expiration date of the specific token in the backend part. Recently I found an alternative way to validate the expired tokens. Which is the task scheduling of laravel. Where every minute the system will check if there's a token expired so that it will automatically update its revoke field as true. But I doubt this solution so that I'm still trying to find some other options.
I think I found the problem probably.
You must set the expiration time in AuthServiceProvider by adding Passport::tokensExpireIn(); to boot section and token won't be validated after this time but the problem is the token won't be revoked automatically and i don't get it why.
Maybe revoke is not for being set by passport and its only for us
I have read some tutorials and video tutorials and they explain how to create a api_token.
I know that I have to change the AuthController and I have to add a new field which it is api_token when a new user registers. I know that I have to add auth middleware in the routes, etc.
But what I dont understand is this...
1) A new user registers in the app.
2) The app create to the user an api_token automaticly.
but I wonder how this user will know which it is its api token because if this user turns off the computer and then it returns to the app how will this user know what it is its api token again? because he will not register again.
Thanks.
Have a look at Laravel Passport. Laravel Passport uses for instance an OAuth autherization. If you log in your application you get an access token and a refresh token. The access token is self explaining you basically get access to the application, the refresh token does refresh you access after a specific amount of time that value is typically written in a configuration file.
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I am using Oauth to create a way for users of our website to login
using their twitter account. However, It's quite annoying that
everytime they click to sign in with their twitter account they have
to grant access each and every time.
Couldn't it work so that if it has been granted once they don't have
to keep granting access? Therefore removing a step. I'm using the
steps found in:
http://net.tutsplus.com/tutorials/php/how-to-authenticate-users-with-twitter-oauth/
Thanks for any feedback!
I found the answer after talking to some developers on twitterapi irc
Bascially I was going to https://twitter.com/oauth/authorize with all my oauth, what I need to do was go to https://twitter.com/oauth/authenticate instead. That then gives forever authorization.
When the users connects, you receive an access token and a secret token, which are used every time you ask anything to the Twitter API.
If you wan't your users to stay connected to twitter, you only have to save in your database those two tokens. (They are user specific, don't use one token for every user).
When you know these tokens, you don't need to ask the user to grant access, you can directly use them to call the API.
If a user removes rights for your application, you won't be able to use his tokens any more, and you will have to ask him to grant access a new time.
You need to start the token / token secret you get in a database or other long term storage method. Then you pass it into the object that does the OAuth authentication so you don't have to keep asking your user. With PHP you can store them in a MySQL or similar database and load them into $_SESSION when the user logs in to pass the values.