Level 13
Apr 5, 2019
3
Level 9
Where to store client credentials when using laravel passport on API?
Working on a project. I have a laravel folder which is the backend API and another folder with a VueJs app.
Usually I would use JWT for auth and may still go back there but wanted to try and use as much of the laravel official packages as possible.
My problem is when looking at online tutorials online they all seem to store the client secret key from laravel passport in the JS. Which would mean if someone did inspect the app.js file it could be seen. I know cors can restrict where the request can be accepted from but just doesn't seem right to have the client secret key store where the public can access it.
Where is the best place to store the client secret key etc? Is there something part of the laravel passport package I am missing when reading the docs?
Level 9
Thanks for the link.
I understand how to setup Laravel Passport, I am looking for advice on where to store the client secret key when the front end is not on the same server.
In the article the client secret key is not an issue as the request is coming from the same domain / server.
Level 53
@ Personally, I use a secure cookie. There is an easy to use a package called, js-cookie that works well for front-end storage. Just do not use localStorage for the token because anyone can see it.
Please or to participate in this conversation.