Passport provides a convenient way of registering routes for users to create their own clients by calling Passport::routes(); in the AuthServiceProvider.
I do not wish to allow my users to create clients, as I only want to manually create clients using php artisan passport:client command, as I only need passport for machine-to-machine authentication for internal services.
How do I customize routes for Passport to only expose the necessary routes for passing a client id and secret to gain an access_token? I understand that I can dig into the framework and expose my own routes to a series of \Laravel\Passport\Http\Controllers\PassportController#action, I just didn't know if that was the only way or the preferred way.
You can pass a closure to Passport::routes() in your AuthServiceProvider.
See here
In the closure you can define which routes should be registered.
Something like this:
Passport::routes(function ($router) {
$router->forAuthorization();
$router->forAccessTokens();
// etc.
);
Here are the available methods:
forAuthorization();
forAccessTokens();
forTransientTokens();
forClients();
forPersonalAccessTokens();
Related
Does Laravel Passport support having permissions on routes, methods, and a number of requests? e.g., the user can only send GET request, or the user can only send 50 requests for the special route, or the user only has access to special routes.
If not, do you know any package in laravel or other PHP frameworks that provide such facilities for API authentication and authorization?
For this you need to make use of the middleware throttle.
for example:
Route::middleware('auth:api', 'throttle:60,1')->group(function () {
...
}
I am really struggling with Laravel auth. I read the manual many times, went to the code, but I still don't understand how the level of intrication of the Auth module.
As far as I understood, the app files that take part of the Auth are:
Manager: Auth (Illuminate\Auth\AuthManager)
Service Provider: AuthServiceProvider (Illuinate\Foundation\Support\ProvidersAuthServiceProvider)
Middleware: Authenticate
Gate
Model: User
Controller: LoginController
It seems these controllers LoginController, RegisterController, ... are called by magic, hardcoded deep down in Illuminate\Routing\Router. But, I do not want to use or register any ResetPasswordController, neither ForgotPasswordController simply because I do not hold any passwords on my application.
So in my case I do no store any email or password in my database. My authentication is done with OAuth2, the only think I do, is collecting an access token that I store on my database.
The question is:
How can I use the builtin Laravel Auth system that I am forced to use anyway because some providers require an access to app('auth')?
What then is the best solution in my case?
Rewrite the whole Auth Manager and override the Router to remove the burred links to the unneeded controllers
Tweak the existing Auth system to fulfill my needs
I am quite lost...
I am using Laravel Passport (auth:api), all works well however I've came with the idea to log record user requests on a specific route.
When an GET request is made to /movie/65 I would like to store in movie_view the following data: user_id, movie_id (if the user is logged in)
However in my controller I am unable to call $request->user() without setting auth:api middleware.
What is the best practice you recommend to achieve this?
Default Auth Type should be set to 'api' in config/auth.php
Source: https://laracasts.com/discuss/channels/general-discussion/optional-authentication-for-api?page=0 (it was very hard to find)
Best way to do this is:
if (\Auth::guard('api')->check()) {
$user = \Auth::guard('api')->user();
}
you have to setup the guard to 'api', the default one is 'web'.
You can create a custom middleware as suggested here -- https://laracasts.com/discuss/channels/laravel/how-to-handle-route-with-optional-authentication. Then apply api guard to it. Let say you assign that custom middleware as auth.optional in Kernel.php, then you can use that middleware as auth.optional:api (with that api guard). Then you can access user thru $request->user() in your case above.
I am a bit confused, I have a web application having a login, Register, Logout. Some dashboard views etc(CRUD), I want to make an api for this application too.
Like an api which third party will use, Can update records, Can delete records etc.
Actually there should be some way which can be use by mobile app for CRUD.
I know we have that routes/api.php, But i am pretty confused that when to use it. Please explain the scenario, I am blank.
Update:
Scenario
Application having views, authentication system etc, How an android app will be able to perform CRUD operations on the same application ?
1.web routing uses session state, CSRF protection. does it mean api routing not using session state, CSRF protection?
All it possible but not required. You still can using sessions etc, but this is a REST principles violation.
2.laravel 5.3 uses seperate web and api routing, is there any advantages ?
It's just for your convenience. In Laravel 5.2 you need specify middleware for routes like ['web'] or ['api'] but it doesn't required anymore. In 5.3 routes stored in separated files and specify routes middleware not required.
If you are specifying routes in api.php, you will need to use the auth:api middleware. For example:
Route::group(['middleware' => ['auth:api']], function () {
Route::get('/test', function (Request $request) {
return response()->json(['name' => 'test']);
});
});
Notes about Token auth and Laravel 5.3:
If you've setup laravel's default auth system, you will also need to add a column for api_token to the user table. If you are using DB seeders, you might want to add something like:
$table->char('api_token', 60)->nullable();
to your users table seeder. Alternatively just add the column manually and fill that column with a random 60-char key.
When making the request, you can add the api_token as a URL/Querystring parameter like so:
domain.com/api/test?api_token=[your 60 char key].
You can also send the key as a header (if using Postman or similar), i.e: Header: Authorization, Value: Bearer [your 60 char key].
I order to get a useful error if the token is incorrect, also send the following header with all requests:
Header: Accept, Value: application/json. This allows the expectsJson() check in the unauthenticated() function inside App/Exceptions/Handler.php to work correctly.
My currenct project consists of 4 main parts:
App shows data from API
API offers data for app
Dashboard Manages data of database (Twig, no SPA)
Website Shows some numbers from the database (readonly)
Should we just use a modules-library for Laravel to split the system into: API, Dashboard, Common, Web or are there better ideas? What is the best way?
Laravel by default is already split for you. Just looking at the routes directory you can see there are separate files for web routes and api routes, prefixed with api, though you can change the prefix yourself.
The part you will have to actually think the most is the Dashboard/Website part, where you will have to implement authorization to know who can access what.
Basically, you are just building a normal application, then you start adding different controllers that would respond to API routes since application controllers and api controllers do not return the same thing. Application controllers return mostly views and redirect, whereas api controllers return mostly JSON formatted data. You can split those controllers into 2 different directories like this
app/Http/controllers/web/
app/Http/controllers/api/
So when generating controllers in artisan you prepend the directory
php artisan make:controller web/DashboardController
php artisan make:controller api/UserController
And so on.
So to summarise:
1- API: use routes/api.php, controllers return JSON return response()->json($data);
2- Common: Some helpers, services & middlewares shared by web & api
3- Dashboard: Authentication + Authorization to limit access. Use a routes group here and apply middlewares
Route::group(['prefix' => 'admin', 'middleware' => ['auth', 'admin']], function(){
//admin routes go in here
});
4- Web: Public data, read only. Not authorization require. Just basic pages with no authentication.
Regarding to #EddyTheDove's answer, I would build main controllers to extend in web and api controllers. You need the same data for each output anyways. You can transform your data Eloquent Resources in api controllers or view in web controllers.