CODEWITHSUNDEEP
phplaravellaravel-5.3
Vision Coderz
Vision Coderz

Reputation: 8078

How Laravel Passport works in laravel 5.3?

After watching laracast video relating to passport,i understood that passport is used to authenticate our own api.Still i have confusion regarding passport

1.How to validate authentication request for get ,post ,put and delete.Suppose if i pass token in my get url user can easily see and use that token.

2.Can i restrict the number of request to particular user to use my api ?

3.if any one decode the android app then they use that api token.In this case how we can protect ?

if any think wrong in my question please forgive.I am not much comfortable about passport and api routing in laravel 5.3

Thank you

Upvotes: 2

Views: 3892

Answers (2)

Moris
Moris

Reputation: 3073

Passport is built on top of League OAuth2 server, you should get familiar with it if you want to go in depth and read on security regarding Oauth2, it's a bit out of the scope for a question here. To keep it simple, use the built-in functionality in Laravel 5.3, SSL/TLS on the server to secure the communication between the app and the server and you'll most probably be fine unless you do some really strange stuff. OAuth2 is really robust and is used by many major players in the field so don't worry to much about the security.

It might be a bit strange to get a grip of having to pass a token to each request if you're used to traditional ways of authentication, there is a really good article about it which explains how it works on Scotch: The Ins and Outs of Token Based Authentication

You can protect routes using middleware. Passport includes an authentication guard that validates the access tokens upon the incoming requests, Example:

Route::get('/api/user', function () {
    //
})->middleware('auth:api');

There is a rate limiting built in Larael that limits the rate at which any API requester can make requests. As you might have guessed, you should also use a middleware for this, for laravel it's the throttle middleware that you can use, example code (with /api as prefix):

Route::group(['prefix' => 'api', 'middleware' => 'throttle'], function () {
    Route::get('user', function () {
        return Person::all();
    });
});

The default throttle is to 60 attempts per minute and disables access for a minute if the user hits the limit.

If you make a request to this route, you will now see the following lines in the response header:

HTTP/1.1 200 OK
... other headers here ...
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59

You can of course customize the throttle middleware, if you want to limit it to 10 attempts per minute, this is how you would do it:

Route::group(['prefix' => 'api', 'middleware' => 'throttle:10'], function () {
    Route::get('user', function () {
        return User::all();
    });
});

You can also add a second parameter which decides the number of minutes until they can try again, you would do 'throtttle:10,10' instead.

Upvotes: 3

SimonDepelchin
SimonDepelchin

Reputation: 2080

  1. Yes you pass your token to each request. Like explained here: https://laravel.com/docs/master/passport#passing-the-access-token
  2. Yes, you would do that using Middleware. I suggest you inspire yourself with the Illuminate\Routing\Middleware\ThrottleRequests class.
  3. You can refresh a specific token if you notice it's been stolen or something... But it's clearly not safe to store the client_id and client_secret in a mobile app.

Upvotes: 3

Related Questions