Lumen API Token Authentication

Hi @MickBee, when you say connect to the one belonging to the application? do you mean that you have another application with the users table on already and that you need the Lumen API to run on the same set of users?

Yes @salmon we have an existing Laravel web application which users log into.

We are now developing a Lumen api, the same set of users will use the api.

Thanks,

Mick

Hi @MickBee, there might be better solutions out there, but I would look into the following.

Can the existing API handle authentication for you and then make all API calls to the new Lumen API? If you don't need the users to interact with the new Lumen API, you can get away with configuring the new Lumen API so that it only accepts calls from your current api (which should only allow authenticated users).

You can alternatively look into something like Auth0 if you want to use token user authentication over multiple API's.

Or you can port the users table over to the new Lumen API, but that means you will have to maintain both which is not ideal.

Thanks @salmon

"Can the existing API handle authentication for you and then make all API calls to the new Lumen API?"

The existing application is not an API, it is a full Laravel application, so yes it can handle the auth.

"If you don't need the users to interact with the new Lumen API, you can get away with configuring the new Lumen API so that it only accepts calls from your current api"

Users do not interact with the API, only the application does.

So, yes, configuring the Lumen API, to only accept calls from authenticated users sounds perfect. Where do I start with that?

You can clamp down on who has access to your new Lumen API using your .htaccess

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
      Options -MultiViews
    </IfModule>

    <IfModule mod_headers.c>
        SetEnvIf Origin "http(s)?://([^.]+\.)?(current_api.(com|local))(:8080)?$" AccessControlAllowOrigin=LARACASTS_SNIPPET_PLACEHOLDER
        Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
        Header set Access-Control-Allow-Credentials true
    </IfModule>

    RewriteEngine On

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ / [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

   # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

You can to look at the IfModule mod_headers.c part above to update your details accordingly.

I also had to configure my apache on my Docker to install the headers mod. But not sure if you need it.

RUN a2enmod headers

I my case I was passing tokens as well so you might not need the # Handle Authorization Header part, but that was just because it was handling my authentication.

Once this is setup, no other origin should be able to access it.

The LARACASTS_SNIPPET_PLACEHOLDER above is only "$0" without the "

Here is some more info on getting your Access-Control-Allow-Origin setup.