Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi. I'm working with the 3rd party and I want to pass the unique parts of the current WEB authentication. Is there anything I can retrieve something like that in Laravel?
I'm working with the 3rd party and I want to pass the unique parts of the current WEB authentication.
Can you explain more?
See https://laravel.com/docs/12.x/authentication
and
https://laravel.com/docs/12.x/session#main-content
and
https://laravel.com/docs/12.x/authentication#retrieving-the-authenticated-user
But I don't know what you mean with 3rd party.
@jlrdw So I create external websocket from scratch using express.js. But I don't want any authentication inside that app. So I'm planning to do something like:
well, it's kinda back and forth situation but that's the simplest way (IMO) to interact these 2 service without any extra layer from the express side. The problem here is, I don't want random user inject the "unique" data so I can't use user_id for it.
@ioiofadhil what is you flow in your stack, I am guessing you are communicating between a laravel back end and a node js back end, is that the case here.
Have you tried to work with tokens instead of session.
What makes you need websockets, is it a chat app?
@jlrdw Yeah, I was also thinking about an extra token that binds to the web auth session... But if there's a token that already represents the web auth, I want to use it instead of creating a new one.
Yes, you're right. that's my 2 backends working to build a real-time dashboard app. I find the setup of Pusher/Ably is confusing and I can't really see what's going on so... Code the sockets using express is way easier IMO.
@jlrdw e,g:
const socket = io(socketUrl, {
query: {token: token()}
});
const verifyAuth = async (_, next) => {
console.log('Middleware is running...')
const headers = {
"Authorization": "Bearer " + _.handshake.query.token,
"X-API-Key": process.env.SOCKET_API_KEY
}
// Here's where I want to return the tokens back to the backend laravel to re-check the permissions. So the laravel backend can see the tokens and read which users that belongs to it. Because I don't want to create any extra logic that connects the express into the db.
const res = await fetch(process.env.BE_ENDPOINT + "/api/verify-token", {headers});
const status = res.status;
if (status !== 200) {
const err = new Error("authentication_error");
err.data = {type: "authentication_error"};
next(err);
} else {
next();
}
}
I've done this with my another project (React as frontend). So the laravel comes with sanctum token by default (randomize and cannot be injected. Attacker must know the SPA token to be able to pretend as User). But I can't seem to find the same thing in the web auth (maybe I missed it)
But if there's a token that already represents the web auth, I want to use it instead of creating a new one.
Years ago many sites stored and reused the same token, but the idea of refreshing tokens is for security.
I haven't used it, but does laravel reverb handle what you need?
It's been a while, so my last experience was using the same token on an API. But you are using websockets.
Have you looked at any of the newer youtube videos on the subject. I followed one on node js recently.
If you do, make sure it's a known good instructor.
@jlrdw Hmm, that's new tech, requires 8.2 PHP or Laravel 10. I'm working on an old project. Sorry for this late information. Well, besides upgrading and making sure everything's fine again, I think creating tokens is the path I prefer to take. Thanks for your suggestion, future projects will be Reverbs architecture for sure. :)
Please or to participate in this conversation.