Level 51
I don't think they're the same tokens. Can you please post at least two tokens here for two different users?
1 like
Oct 20, 2022
4
Level 1
Passport same token
Hello. This is how I implement user authentication when they login. The problem I notice is that all users are returned the same token. Is this correct?
api.php
Route::post('/v0/user/login', 'App\Http\Controllers\UserController@login');
the UserController login method is:
public function login (Request $request){
$validated = $this->validate($request, [
'cuil' => 'required',
'password' => 'required',
]);
if (Auth::attempt($validated)) {
$user = Auth::user();
$token = $user->createToken('user_token')->accessToken;
$minutes = 1440;
$timestamp = now()->addMinute($minutes);
$expires_at = date('M d, Y H:i A', strtotime($timestamp));
return response()->json([
'status' => true,
'message' => 'Login successful',
'access_token' => $token,
'token_type' => 'bearer',
'expires_at' => $expires_at
], 200);
} else {
return response()->json([
'status' => false,
'message' => 'Invalid Credentials',
], 400);
}
}
As you can see there is the lines:
$token = $user->createToken('user_token')->accessToken;
$expires_at = date('M d, Y H:i A', strtotime($timestamp));
and then it return the token (if everything is right)
return response()->json([
'status' => true,
'message' => 'Login successful',
'access_token' => $token,
'token_type' => 'bearer',
'expires_at' => $expires_at
], 200);
All users gets the same token. This is right?
Also this are the tables in the DB.
oauth_access_tokens oauth_auth_codes oauth_clients oauth_personal_access_clients oauth_refresh_tokens
Level 1
Ok, the tokens are different, but i found the problem. If I use user 3's token with user 4. I am authorized. Should this happen?
How is it possible that using the token of user 3 in user 4 does not find problems, that is, it is authenticated?
api.php
Route::middleware('auth:authentication')->post('/v0/testroute', 'App\Http\Controllers\UserController@test');
UserController test method:
public function test (Request $request) {
return ("authenticated");
}
this is the user client in the front:
axios({
method: 'post',
url: 'http://127.0.0.1:8000/api/v0/testroute',
data:{"usr":"4","name":"xxxx","last_name":"xxxxx","email":"[email protected]","password":"1234"},
headers: {
'Authorization': 'Bearer ' +"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1IiwianRpIjoiNTJlYzlhZjNlOWIyOGVhNjEzYmU3Nzc1N2VkOWI0OWY1MjJkODMxOWZkMGI1NDRhZjI2ODFkNGY0OThhNTJlMTM2M2FlNDhjODEzMThlMjkiLCJpYXQiOjE2NjU0MTkyODcuNjY2NTg3LCJuYmYiOjE2NjU0MTkyODcuNjY2NTkyLCJleHAiOjE2OTY5NTUyODcuMzAwOTg0LCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.H5Ak_6zHiHEBWerMQ9H55LSPWQbqSSLHJjpkdnHBwdmf1HszBDgiPY89V5NxSmjnFYi1KcWVn-X_M6BJlC_Tg5JWoGnTJ-_faQRpOXCdDO4-x3cobAQr4SegQ7obOKwCJJ9TqC8ql8wF6MWBUStdKwAC5lPbvD3BX8zjWsf54_aiLmK11l5hYqwtueN_DZC2X0-T-JwzCg5LfmUOomc0noICgaZfUTtf9oUWXxty-kP2ut_wUnIHOD8BDLm1d-V472d2-PeRbek1c4r5hHecEoCTA7Tklb73O-3KwMe3dz5PwyK_s3_cVR1w6oO0jC6QNfd-QbM_mIyOgtvNX-N5TXxm3Oh9aIu1SArExDg7QJGx7cB6fvVxQdDB35nR-ouE8IBkQsR44MZXpJ6mdNilXuwyp9OnfcJgHzQRrjZb7QRKHhv_99GHISEGoESkMn7aMDTYiiG5759eLe0AWSTiCopcvT2m9vjepg-mHs8F9erSnZCeWOWLqWnK1Mu1xOQGk8UEUk8n42fJ-bDG0f8lOExURbN1LLN4r9ZDLdQbdT9GEBans19koaIMuFeRC9rH_C7JW4Tc2OjslNJ5PgH31zHaTcaduq0HM8cypKgbFAPEhlbjCvUTUS1nUe6se96_X-nEDsE6rpHmqQ9hY0fGw1Yw7RhbsZvclyHDt9FgbCk" ,
"Content-Type": "application/json",
'Access-Control-Allow-Origin' : '*',
},
}).then(function (response) {
console.log(response)
});
As you can see the token for the user 4 is the user 3 token.
Tokens:
for user: 3
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1IiwianRpIjoiNTJlYzlhZjNlOWIyOGVhNjEzYmU3Nzc1N2VkOWI0OWY1MjJkODMxOWZkMGI1NDRhZjI2ODFkNGY0OThhNTJlMTM2M2FlNDhjODEzMThlMjkiLCJpYXQiOjE2NjU0MTkyODcuNjY2NTg3LCJuYmYiOjE2NjU0MTkyODcuNjY2NTkyLCJleHAiOjE2OTY5NTUyODcuMzAwOTg0LCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.H5Ak_6zHiHEBWerMQ9H55LSPWQbqSSLHJjpkdnHBwdmf1HszBDgiPY89V5NxSmjnFYi1KcWVn-X_M6BJlC_Tg5JWoGnTJ-_faQRpOXCdDO4-x3cobAQr4SegQ7obOKwCJJ9TqC8ql8wF6MWBUStdKwAC5lPbvD3BX8zjWsf54_aiLmK11l5hYqwtueN_DZC2X0-T-JwzCg5LfmUOomc0noICgaZfUTtf9oUWXxty-kP2ut_wUnIHOD8BDLm1d-V472d2-PeRbek1c4r5hHecEoCTA7Tklb73O-3KwMe3dz5PwyK_s3_cVR1w6oO0jC6QNfd-QbM_mIyOgtvNX-N5TXxm3Oh9aIu1SArExDg7QJGx7cB6fvVxQdDB35nR-ouE8IBkQsR44MZXpJ6mdNilXuwyp9OnfcJgHzQRrjZb7QRKHhv_99GHISEGoESkMn7aMDTYiiG5759eLe0AWSTiCopcvT2m9vjepg-mHs8F9erSnZCeWOWLqWnK1Mu1xOQGk8UEUk8n42fJ-bDG0f8lOExURbN1LLN4r9ZDLdQbdT9GEBans19koaIMuFeRC9rH_C7JW4Tc2OjslNJ5PgH31zHaTcaduq0HM8cypKgbFAPEhlbjCvUTUS1nUe6se96_X-nEDsE6rpHmqQ9hY0fGw1Yw7RhbsZvclyHDt9FgbCk
for user: 4
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1IiwianRpIjoiZDRhZTU0OGI3YmJiOWMxZDAyYWZmZTMyZjM4NGU5NjhiYTRhNTZmZWIxY2E0YWQ1ZTcyNDcwNmUyODg2ZGM4YTQzZjJmNzY5Mzk4YWQwNjAiLCJpYXQiOjE2NjYzMTU5NTUuNTQ1MTUxLCJuYmYiOjE2NjYzMTU5NTUuNTQ1MTU5LCJleHAiOjE2OTc4NTE5NTUuNDUxOTg3LCJzdWIiOiI0Iiwic2NvcGVzIjpbXX0.HR4dQFu9CrVrBotsQTLsOBqGfoYeR4h0_P86otKyk6xwF2iiQ07b97F27rRpEH2lUCumKmVcki3MW3DYBESLx8SjNzYBpVTzCPr9uXC55tSzpau95vEcUcE2UCIRr68Q-k-1xlqioTWnYhm40bx5WYdC3Th04d8r2ovzOsqVfMeGLmKYbLcvFYrwh-QLjJWlyGAtxeRIJ04Gteibgf2cRQnuDdeNTOb8Ud0t748iC2cyCKxs1pMdhn5dxV22pu0vX0w2WNQfOsBUQw2peic7BMBeRwHHiCqyedPG80pr_FJpHzJMUHu7FZaPH3vDxl5CyNFYjOiU8S62KZKR4b02IU9mMAzACLB8z7z9OC2NtFiZWbcPNxChFmve41gCyEyEZSLNG26OvyUJILr1OsCPF_ONytdmeYYgW_aPdHsGVMGb5n7KTd-V9wQimFEM8tCSQnuG3V23cn0JNc6nH1N5v9fkftpJFKx2KMf9fgGU3umTlbSu5YLAkXzK_rge45SeTNmqdK_XmZUWLgAZCtmAVBeNP9zB2cxi9DmaC-Hqo0VRtER1FVntuwA2a1Cun9b2b_XTUwqGT5toVpOJhxGXGBjTxPkvAoYhxQ7xvprUba16aoOr9kEGuPhvHOa6jdoDESgrmIXmJRSYb3RarodUdDNjWpHWPVTVCB1nzYhzXR4
Level 51
Yeah, it should happen. If someone's steels the token he can act like the user who originally owns the token.
That's why keeping the token safe is a MUST.
What you need to check against is, will the user 3 with his token can act like user 4? that's can be problem if the answer is yes.
1 like
Level 1
@MohamedTammam yes, the answer is: it can be a problem. What should I consider?
Also, that token in what table it is store? because there are this tables but I can not find it.
oauth_access_tokens oauth_auth_codes oauth_clients oauth_personal_access_clients oauth_refresh_tokens
Please or to participate in this conversation.