5 months ago

Having some issues with Laravel Passport and best practices

Posted 5 months ago by Chris1981

Hey Guys,

I was wondering if I could get a little bit of code mentoring for a few issues im seeing. I have created a pure API instance of Laravel + Passport on and im consuming in a pure React instance on so they are completely different entities.

The issues im having are around authentication and the best / most secure ways of doing it. I have read quite a lot of tutorials and each one is quite different as to how they do it.

My currently login method in Laravel loooks like this;

public function login(Request $request)
        'email' => 'required|string|email',
        'password' => 'required|string'

    $credentials = request(['email', 'password']);

    if(!Auth::attempt($credentials)) {
        return $this->sendError('Unauthorized', '', 401);

    $user = $request->user();

    $tokenResult = $user->createToken('Personal Access Token');
    $token = $tokenResult->token;

    $data['access_token'] = $tokenResult->accessToken;
    $data['token_type'] = 'Bearer';
    $data['expires_at'] = Carbon::parse($tokenResult->token->expires_at)->toDateTimeString();

    return $this->sendResponse($data, 'User logged in successfully.');

This works fine, but is this the best way of doing it as I see some tutorials get a refresh token as well, but im not sure what that does. Also the expires_at is never used on the frontend.

On the frontend my login method is simple;

return + 'login', formData, {
    headers: {
        Accept: 'application/json'
    .then(response => {
        const token =;
        localStorage.setItem('access_token', token);

        return response;
    .catch(error => {
        return error;

This seems not to be all that secure storing the access_token in local storage .... Whats the best way of storing this?

Also, I was watching a tutorial with VUE and to protect a route, they simply used a conditional to check if the access_token was not null .... But this seems a bit ugly, what happens if that token had expired.

Sorry for the load of questions, but I can't seem to find a place to read that seems ......... good practice.

I dont want to put an app out into the public with terrible authentication.

Thanks in advance.

Please sign in or create an account to participate in this conversation.