I'm using UserFrosting to manage users with PHP, in my API and I want to use the login function in controller with POST method.
When i call the login function it return me as response
The CSRF code was invalid or not provided.
I still cannot get the csrf_token
Any idea?
There is a UserFrosting Sprinkle that implements JWT authentication: https://github.com/x00x70/tokeniser
Join us in chat if you have any questions about its use!
If you're developing an API (either for it to be consumed by an webplatform or mobile app) I belive it's better to have a different kind of authentication, namely, JWT authentication. In Laravel you have Passport to handle this Authentication with ease.
I'm not sure how userFroasting uses laravel but if laravel version is above 5.3 you can use it.
If it isn't there's always the option of making a costum JWT authentication.
Here is the latest documentation for Passport https://laravel.com/docs/5.5/passport.
Related
I am developing a web app using Laravel, But I have to integrate the mobile application in the future. Now I want to ass API Authentication passport. I am a little bit confused how passport API handle multi auth system form multiple user and permission systems. Currently, I am using Laravel default auth to handle user. Is there any library for Laravel multi auth using API Authentication passport??
The thing you have to understand about Passport is that it is nothing more than a Laravel wrapper of the oAuth2 framework, specifically this implementation: https://github.com/thephpleague/oauth2-server
As such, you must understand how the different oAuth2 grant types work. I recommend reading up on oAuth2 to familiarize yourself with the concepts (I personally found this site to be the most helpful for understanding the different grant types: http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/).
Specifically to your question, take a look at Password Grant Tokens (https://laravel.com/docs/5.6/passport#password-grant-tokens) for use in a mobile app. Once you have your token, Laravel handles all the Authentication behind the scenes and you can use Auth::user() as you would normally, assuming you have Passport set up and configured correctly; the user is tied to the token and is independent of any other token and any logged in user.
As for permission systems, Passport uses scopes (https://laravel.com/docs/5.6/passport#token-scopes) which is a handy way of limiting what routes your tokens have access to. Aside from that, permission management for the Auth::user() is the same as any other user using your application.
EDIT:
Passport scopes are used to lock down routes, so they can be used. However, Passport is only concerned with authentication (ie, is this user valid) and NOT with authorization (ie, what can this user do). How you authorize users to do different things is 100% independent of Passport and is up to your web app.
Our challenge is below for our latest project. With the advent of the Laravel Passport API we thought of giving it a try instead of using the old https://mattstauffer.co/blog/introducing-laravel-passport that I guess everybody was using prior to larval 5.3.
So our challenge is how to implement Laravel Passport for our mobile apps since we need to register users through an API instead of the VUE login element provided in latest laravel.
Any help will be mush appreciated.
Laravel Passport API as if now doesn't support creating the user credentials other than using their VUE view component . So there is no way you can do that. So if that is very important for your business/project then I would advise sticking to Javascript for creating access/api tokens instead using standard Laravel Passport oAuth implementation.
The ideal diagnosis for such issue is to implement your own logic of handling creating tokens and oAuth user in respective tables in Laravel.
Laravel provides routing for applications in general with their user login/register method.
However; My application is not able to take advantage of the CSRF token and sessions as it's View is powered by Phonegap so i'm forced to use another method of Authentication to ensure all requests from the Phonegap app to the Laravel Routes/Controllers are secure.
Is Laravel passport suitable for this or is OAuth2 used for something different? I just need a bit of guidance as i'm quite new to this method of authentication.
Laravel Passport or oAuth2 for that matter is used to authentic clients (mobile apps or web apps like in your case) to securely use APIs to access data.
So yes Laravel Passport is used to authenticate clients but the way you can use it in your project entirely depends on your exact requirements because if you are just planning to submit forms then you can still do it without using csrf tokens or latsbrl passport or oAuth2 but if you want to build a secure way of allowing tour clients/users to submit and channel data to your backend then yes you should use Laravel Passport.
Laravel 5.3 has a slight challenge interms of implementing laravel passport for APIs and to help you with that i have already written a detailed setup and usage write up here Laravel's 5.3 passport and api routes.
Let me know if you need any help as I have been using oAuth2 and laravel passport recently in almost all of my projects.
I am building a backend rest api for a android application. It authenticates user and sends the token in Authorization HEADER. I am extracting the token from header in a custom middleware . Now I tried to check with Socialite whether it provides a way for me to get the user by token. If user does not exist we will create a user else send response as success to android application.
Now in Socialite I cannot implement specific method getUserByToken($token) since its protected.
I am not proficient with laravel. Can some one guide me?
Thanks, Pavan
Socialite is not an authentication library but a library that provides and interface to Oauth for many social networks.
In order to do what you want you should look at the auth library http://laravel.com/docs/5.0/authentication and I guess that the getUserByToken should go to your User model.
I am building my first rest API for an iOS app.
The framework I use for buidling the API is Laravel.
Everything works great so far but I am not sure on how to log users in using the API.
Could sessions work here? Im already using SSL/HTTPS but I dont wanna authenticate users on each
request, so whats the best way to only make them log in once?
Also, should oAuth work fine here?
If you have any examples on how to log users in on a Laravel built api please share.
Thanks in advance
With my experience, Laravel built in Authentication component is just be able to applied to normal authentication via form, session and cookie. To handled API authentication, I have used these methods, hope that one of them is suitable for you.
OAuth 2
With the help of lucadegasperi/oauth2-server-laravel, you can make your API secured via OAuth flows. More documentation can be found at the package wiki on Github or the PHP League Oauth2 home page. You can use filters to secure your API routes as follow:
Route::get('protected-resource', ['before' => 'oauth:scope1,scope2', function() {
// return the protected resource
}]);
However, OAuth need a database to save client credentials and some more settings, if your API is not so complicated, this solution may not suitable.
HTTP Authentication
This solution is more simple than OAuth and I recommend using it with an SSL (HTTPS) connection because the authentication information can be visible why using this. The packages I used before is Intervention/httpauth. You have two options with authentication method by using this package: basic (send a base64 encoded of the combination username:password via HTTP header) or digest (use MD5 algorithm to encode your information before sending via HTTP header). This solution does not required any database.