API Authentication

Hey. I'm not really offering a solution except maybe to say that storing tokens on local storage isn't a good idea since they're vulnerable to XXS attack via JavaScript.

But more for me, I've really really been trying to do what you've done:

Laravel web app that uses an external API 1: Send data to an external API via cURL 2: Save returned token 3: Create 'auth' based functionality using token 3: Send it along every request

But I'm stuck at point 2. Could you please help out a little. Much appreciated.

@thomvincent I've worked with both.

you can get the current user like this:

$user = JWTAuth::parseToken()->authenticate();

I work with vue.js. And I store the token like this:

localStorage.setItem('jwt-token', token);

If the token is out dated I send a new token back. With every request I also receive this information from the user.

Example:

    public function userInfo()
    {
        $user = JWTAuth::parseToken()->authenticate();
        // If the token is invalid
        if (! $user) {
            return response()->json(['invalid user'], 401);
        }

        return response()->json([
            'id'    => $user->id,
            'name'  => $user->name,
            'email' => $user->email,
            'role'  => $user->role
        ]);
    }

Hope this helps a bit.

Hello @kaziplus & @lars64

I ended up creating my own authorisation within the Client site using the following links as a basis: https://blog.georgebuckingham.com/laravel-52-auth-custom-user-providers-drivers/ https://laracasts.com/discuss/channels/laravel/replacing-the-laravel-authentication-with-a-custom-authentication

By creating my own authorisation I am able to create a session of the respective User account which gives me access to all the relevant information instantly and means I don't have to keep making calls to the API.

Thom

@thomvincent interesting! Did you implement tymondesigns/jwt-auth as a custom authorisation?

@thomvincent Very nice solution! But I think stateless authentication without the use of sessions should be the preferred goal.

@lars64 - I use the packaged tymondesigns/jwt-auth and dingo/api on the website which is just an API. The custom authorisation was created on the Client website. The JWT package on the API website confirms whether the user is valid based on their email & password. If the user is valid then a second API request is made to the API using the JWT to load the respective user's data. That is then saved to the session using the custom authorisation on the Client website.

@primordial - I would be welcome to any suggestions. I was wanting a solution that would reduce the number of API calls (i.e. pinging for the logged in User's deatils on every page request). I also want to attempt using ACL with policies to restrict access on the Client website using roles & permissions.

@thomvincent it's an impossible subject, many arguments at my workplace over the way forward. We are using https://getkong.org/ but you are right, it is an explosion of I/O.