limb24's avatar

API authentication with an external API

Hi all, I'm fairly acquainted with the basics of Laravel and while my app is looking quite good, I can't wrap my head around implementing API protection with Laravel's auth functionality in this scenario: the username and password is sent through a HTTP request to an external API, which returns a response on whether the user has entered valid credentials. My Laravel app also has some API routes that must only be accessible to authenticated users. I also have to protect certain web routes, and need to implement sessions/cookies.

I looked around everywhere but it seemed that most of the tutorials/questions involved setting up a database that had usernames and passwords, and manually registering users. I saw some answers that said to create a custom user provider and a service provider, but after that I'm not sure where to go, and would like advice. Here is an example of what I have now:

MyUserProvider.php

class MyUserProvider implements UserProvider
{
    public function retrieveById($identifier) {
        // Retrieve a user by their unique identifier.
    }

    public function retrieveByToken($identifier, $token) {
        // Retrieve a user by their unique identifier and "remember me" token.
    }

    public function updateRememberToken(Authenticatable $user, $token) {
        // Update the "remember me" token for the given user in storage.
    }

    public function retrieveByCredentials(array $credentials) {
        // Retrieve a user by the given credentials.
    }

    public function validateCredentials(Authenticatable $user, array $credentials) {
        $ch = curl_init();
        // Make http post request here
        if ($credentials_are_valid) {
            return true;
        }
        return false;
    }
}

MyAuthServiceProvider.php

class MyAuthServiceProvider extends ServiceProvider
{
    /**
     * Register services.
     *
     * @return void
     */
    public function register()
    {
        //
    }

    /**
     * Bootstrap services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();
        
        Auth::provider('my-auth', function ($app, array $config) {
            return new MyUserProvider();
        });
    }
}

and in my config/auth.php I have registered my user provider under providers.

I have looked into Passport but it seems the official docs utilized a database with users and passwords, and it didn't seem to have much advice for my scenario, where I don't have access to username and passwords. I am thinking to just do it without any Laravel help, like setting up a redis database and storing cookies in there, but I am always open to doing things the Laravel way.

0 likes
1 reply
fylzero's avatar

@limb24 Have you looked at this? https://laravel.com/docs/6.x/api-authentication

You can use basic token auth to get started. Basically the system can create a token to protect you API routes which is bound to a user. No need for usernames and passwords to auth to your API... just pass a token in the request.

Passport provides an oauth implementation which adds an additional layer of security but is a bit more complex to integrate. Basically it binds an access token but also requires you to generate and pull a transaction token for each request. If this is what you are looking to do I suggest watching: https://laracasts.com/series/whats-new-in-laravel-5-3/episodes/13

24 likes

Please or to participate in this conversation.