Level 53
@robdesilets yes, there are two official packages for API authentication: Laravel Airlock and Laravel Passport.
Mar 5, 2020
5
Level 5
API Authentication
Hi,
I am in the process of implementing my API using Laravel 6. Since 7 just came out they removed the docs on the API (token authentication, etc). Is everything related to the API auth moving to the AirLock package?
Thanks!
Level 5
Thanks for the reply. I did have a few follow-up questions:
-
It appears that with AirLock you can't authenticate the token via the query string (as you could previously). I have a need so auth in the query string versus having to put it in the Bearer in the request.
-
Is the "old" way of doing it eg. creating api_token field in the table then setting up a doing something like this:
Auth::viaRequest('company', function ($request) { return (Company::where('api_token', $request->api_token)->first()); });
No longer the correct/supported way?
I have it working now as I like it, but don't want to release something that will no longer work in future versions of Laravel and/or is not the right way of implementing it.
Edited to add:
It does look like in the v7 docs the "viaRequest" is still mentioned as a way to build a custom guard. I guess I am still trying to put together how AirLock fits into this all.
Thanks!
-Rob
Level 53
From the Laravel Airlock docs:
When making requests using API tokens, the token should be included in the
Authorizationheader as aBearertoken.
https://laravel.com/docs/7.x/airlock#issuing-api-tokens
No longer the correct/supported way?
Closure request guards are still supported in Laravel 7, so you should be safe.
https://laravel.com/docs/7.x/authentication#closure-request-guards
Level 5
Ok thanks. So just to be clear when I use the Closure request guards I am essentially responsible for creating my own tokens. In other words, AirLock will create tokens and also authenticate those tokens (via Bearer token), but if I wanted to continue using the Closure then AirLock is not applicable.
Just trying to be clear :)
Level 53
@robdesilets well, you can always try to search for workarounds if you really want to use Airlock.
One option might be to override bearerToken method in Request class so that it would also check for the token in the query string.
https://stackoverflow.com/a/30840179
The other option might be to extend Airlock Guard class and override the logic in __invoke method.
https://github.com/laravel/airlock/blob/1.x/src/AirlockServiceProvider.php#L96
But if your custom solution works fine, then I don't see any necessity to change it.
Please or to participate in this conversation.