Reputation: 6986
I am currently porting a codebase to more RESTful pattern so that I can run a mobile app and a web application from a single API.
I know laravel 5.3 now implements Laravel Passport, but how can I consume my own API, i.e a user signs up gets an authentication token / api token and then each requests to the server checks against that token, so far I have the following, in my api routes,
Route::group(['middleware' => 'auth:api'], function () {
Route::get('classes', 'ClassController@index');
Route::get('classes/{id}', 'ClassController@show');
Route::post('classes', 'ClassController@create');
Route::put('classes', 'ClassController@edit');
Route::delete('classes', 'ClassController@destroy');
});
In my Http/kernal.php I have added,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class
To my $middleWareGroups array.
So how do I generate an authentication key for my user, i.e when they login how do I add a token to that user?
Upvotes: 4
Views: 2615
Reputation: 91
I'm answering this for future users who come here because their API is responding "not authenticated" while trying to consume their own API.
OPs question: "So how do I generate an authentication key for my user, i.e when they login how do I add a token to that user?"
Answer: If you consume your own API via the CreateFreshAPIToken middleware, you don't need to generate a special authentication key / token. The authentication is done via the "laravel_token" cookie which is appended to your responses when adding CreateFreshApiToken middleware.
This embedded token is decrypted by passport when receiving a request with this cookie sent.
For people who still get the "not authenticated" message after following all steps from the docs for consuming their own API:
The whole concept won't work if the Laravel Middleware Illuminate\Cookie\Middleware\EncryptCookies is not defined for your route groups. This information is not provided by the docs. It totally makes sense though. The cookie can't be decrypted, if it was never encrypted so there will always be an DecryptException in the TokenGuard provided by Passport.
This middleware is by default configured for all requests, looking something like this in your Kernel.php:
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* @var array
*/
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
];
}
If it's not, you should add it.
Hope I could help some folks landing here after hours with tears in their eyes.
Upvotes: 3
Reputation: 56
To consume your own api, with other frontend framework, you'll need to add a request header to each AJAX request: set the header X-CSRF-TOKEN equal to the CSRF token for that page.
Eg : With Javascript
$.ajax({
url: $url,
headers:{'X-CSRF-TOKEN': Laravel.csrfToken},
type: $type,
dataType: $dataType,
async: $async,
data: $data,
});
Upvotes: 0