This is my first time using laravel sanctum. Before this, I use Laravel Passport for protecting the route.
So the problem is, there are 2 kind of route. Route that need user authentication, like API profile, my order, and inbox. And route that doesn't need user authentication to access, like API version control, splashscreen, and forgot password.
In my last project when using passport, in passport there was client token, that doesn't need user credential to get. Then I use auth_client middleware to protect route that doesn't need user authentication. First I want to ask, is this the correct way?
If that was correct way, and protecting no need login route is recommended, how i do the same thing using laravel sanctum?
I just learn JWT on PHP. I'm a litle bit understand how JWT work on single page. When I implementating on multiple page (page to another page).
Is my implementation true if every user move to another page we have to fill HTTP_AUTHORIZATION with token (bearer code) and in the same time we generate new token ?
Thanks in advance
Conceptually, JWT is a bearer token issued to user after successful login using their username and password.
Normally for mobile app we set long expiry for a JWT token, while for a web app, we use the JWT refresh mechanism to avoid invalid API abuse by invalidating the old token and refresh with a new set of token without login again. Once the JWT token is expired, then will need to kick the user out.
For a mobile app, JWT can be saved in SharedPreference and use the same key for all API calls. Set it as an environment instead of page based, so that you no need to set it again every time in every page.
Have a read on this https://tech.justeattakeaway.com/2019/12/04/lessons-learned-from-handling-jwt-on-mobile/
I'm building an application that doesn't need a login page because the server already asks for an sso and a password when accessing to any app in the server. The problem is that i need to save the user session but the sso api only gives me the ID of the user, so i was wondering how do i do that in Laravel 7?
I was thinking on a route /login/{id} that generates a token and saves it in the browser session and the database, and in every request the system verifies if the token is the same. I don't know if there is a better way to save a session without password, and how to do it in php using Laravel methods.
Thank you.
I have read some tutorials and video tutorials and they explain how to create a api_token.
I know that I have to change the AuthController and I have to add a new field which it is api_token when a new user registers. I know that I have to add auth middleware in the routes, etc.
But what I dont understand is this...
1) A new user registers in the app.
2) The app create to the user an api_token automaticly.
but I wonder how this user will know which it is its api token because if this user turns off the computer and then it returns to the app how will this user know what it is its api token again? because he will not register again.
Thanks.
Have a look at Laravel Passport. Laravel Passport uses for instance an OAuth autherization. If you log in your application you get an access token and a refresh token. The access token is self explaining you basically get access to the application, the refresh token does refresh you access after a specific amount of time that value is typically written in a configuration file.
Hi I am creating mobile native application that uses REST API endpoints to communicate with server side.
I have had previous experience developing native clients, but I have simple token (random generated string) stored in DB in the same table where user information is stored. So it is like sessions used in browser, but instead of cookies each request has token in the header.
Recently I discoreved JWT token. It seems to be great way to secure endpoints which are private. You can request token from mobile client providing you pass + login and get generated token in response.
But the one important thing is that this token is not stored anywhere on the server, server verifies the token using secret word, which is private for the server like private key.
That's okay for secured endpoints, but what to do if I require user session, for example how do apps like Facebook, Amazon, Aliexpress ... work, they have ability to use the app without providing credentials, just navigating through the store, but require logining in when user want't to make purchase. And after that user session is kept for some time.
This can be implemented with the JWT token without any problems, but when user need to logout, what to do in this case ? Token is not stored anywhere on the server, so how can I destroy this token, to make it invalid ?
If token is stored in the database, API is not stateless, as REST API should be.
So in general there is no way to keep user logged in in stateless API, am I right ?
I have some ideas how to implement this using JWT token, but again this will not be stateless API, as I understand.
Create the list of expired tokens
Store JWT token in the database, but what is the purpose of self descriptive token (JWT) in this case if it is stored in the database, the main idea of JWT token to keep all information with token, as I know.
Please suggest what is the best way will be in this case, and correct me if I have mistaken.
Thanks.
If you're using JWTs, then you can't have a server side state in order to properly logout the user without defeating the purpose of using JWTs in the first place. The best option though if you want to do this is to have a last logout date stored in the DB and in the JWT, and if these don't match you logout the user (without updating the date in this case). However, you now have server side state.
Storing logged out tokens in the DB seems like overkill though.
An alternative option is that you could generate a 128 bit token generated by a CSPRNG, store this using SHA-256 in the database, and then use the unhashed value in a web token. This way you can simply delete the entry in order to logout the user server side. This is the more secure option as you now have a way to properly expire tokens and sessions on the server. If a user changes their password, or wants to secure their account by logging out other sessions you now have a way to do this.
JWT authentication is basically happens on both the client side and server side.
When the user sends Username and password to authenticate. its checked against the db and if valid a joken is generated and sent back to the user. There are multipe API's for generating the JWT token, you can check out http://jwt.io/
Once the token is generated and sent back, it needs to be sent along with header in each request and needs to be validated, on the server side, before serving the API back to the user.
There is no need to store the the token as the API itself will allow you to decode it on the server side.
How i am doing it:
I generate a random id (I call it validation code) and store it in database when user signup, encode it in jwt.
Whenever any request is made with jwt, I check the validation code, if it is correct: access is granted.
To expire the session like after changing password, I change the validation code in DB.
If you need to logout a user, provide a logout link. The server should reset the session data by encoding the token with any empty array for example. The user will have a valid session but will not have the valid information to validated them.
Valid Token at login
$data = array("id"=>1,"user_type"=>"Admin");
$token = JWT:encode($data, $key);
Validating Token
$token = $_POST['token'];
$data = JWT:decode($data, $key, $hash);
if($data.id){
return "valid token";
}else{
return "invalid token"
}