Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

matysek145's avatar

Laravel API, ReactJS, Authentication

Hello,

So i am really confused about all the stuff regarding APIs, authentications etcs.

What i want to achieve:

  1. API in Laravel, consumed only by my apps
  2. Frontend made with ReactJS, served from the same Laravel app, in the same domain
  3. In the future there might be some mobile app
  4. Users of React/mobile app have access to some public available resources
  5. Users should be able to register/login in and for example post some articles
  6. Also they should be able to login with Facebook

So i don't really know what and how to use I know i can use JWT (https://github.com/tymondesigns/jwt-auth) to authenticate users. Would it be suitable for both React app (served by the laravel itself) and future mobile app ? Can it be used to login with Facebook?

What about Laravel passport? I don't want any third party apps to consume my API. Or at least i don't care about them. Should i then use passport for authentication? Is it good for authenticating users or clients?

If i want to protect my AP,I so only my apps could consume it, how do i authenticate them? I can't store client credentials inside client apps...

In this tutorial: http://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/ author writes about authenticating users on different clients. He writes about distinguishing clients and not storing client's id/secret directly in the client app. He proposes to create a proxy in the api backend, so client would communicate to route like 'api/login' and from there it would be passed to passport with client id/secret, but as i understand this approach makes impossible to distinguish the clients and actually anybody can hit 'api/login' route and authenticate regardless of the client app xD

Should i really care about API protection (so that only my apps could consume it) or should i just focus on user authentication with JWT and that would be sufficient?

And what about CSRF? Should i use it with API or not? It is excluded from the api routes by default and then... https://laravel.com/docs/5.6/csrf here they tell to automatically attach CSRF token to every outgoing request in Javascript applications (in my case i believe it would be React served by the Laravel) :)

The more i read the more confused i become.

I really need some clarifications and help, cause i got stuck. Don't know what and how to use to achieve my goals.

0 likes
5 replies
Web Confection's avatar

@matyasmandik jwt-auth will suffice for authentication but not authorisation. Go with passport. In a token based authentication the client will provide a token generated by jwt-auth or passport in the header of each request. Your API can easily check the token using middleware.

Because you want multiple clients, desktop and mobile I would go with a decoupled frontend and not build your ReactJs solution in the same domain as your API. Will make life easier moving forward but your choice.

Regarding CSRF protection; Take a peek at https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication

Good luck

matysek145's avatar

Thanks for the link

Now i can add another brick to my confusion stack ;)

So what i have read:

  1. You don't need CSRF protection if you DON'T store JWT in a cookie - store it in localStorage for example
  2. But you don't want to store jwt in a localStorage, because that can make your site vulnerable to XSS
  3. Great, so why don't you store jwt in a cookie (HttpOnly/Secure)? Perfect, but what about CSRF? Have csrf token inside your JWT (according to https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage)

But wait... What's the use of csrf token inside jwt inside a cookie (httpOnly/Secure). For me it still sounds like vulnerable to CSRF.

And also, isn't csrf token related to the user session? And when i build an API with JWT auth, then basically i want to get rid of the session or what?

I know, i am definitelly missing something obvious in that aspect. Maybe I'm tired or something, but please, help with this one ;)

Edit So this https://stackoverflow.com/questions/38415851/how-to-make-jwt-cookie-authentication-in-laravel seems to be a way to go with storing csrf token in jwt in cookie(httpOnly/Secure) ?

MuhammadZubair's avatar

I am also working on this type of project and new in react with laravel, and the same goes here the more I read the more I am confused.

I want to login like we previous web system like session based, is it possible and how? or we have to do this like you are asking. Kindly need support on react and laravel app

luilliarcec's avatar

I am trying to do the same and if someone has already done it, I would be very grateful if you could help me. I instead want to handle roles and permits, with React and Laravel.

robertwt7's avatar

I'm currently creating the same web aplication for intranet purposes. I think that having a decoupled front end and back end would make it easier for future scalability.

I've decided to use laravel passport for API authentication for my React app with Laravel merely working as an API provider

Will see how this works in the future

Please or to participate in this conversation.