Closed wontone18 closed 3 years ago
devansh-webkul
commented
3 years ago This is not token-based authentication. This is session-based authentication. For activating a token-based authentication, you need to pass the token query string as true in the URL.
Laravel detects cookies for session management, and in the case of Postman. Postman is sending all the saved cookies for you automatically which gives you the the current user saved in the session.
wontone18
commented
3 years ago This is not token-based authentication. This is session-based authentication. For activating a token-based authentication, you need to pass the token query string as true in the URL.
Laravel detects cookies for session management, and in the case of Postman. Postman is sending all the saved cookies for you automatically which gives you the the current user saved in the session.
if its not token based auth then what's the purpose of making a login?token=true. tokens are not pass through query string bro. That i already seen and mention it in the above that you are passing token in body. This is actually a wrong method. I have made react and laravel as a back end application. And i can show you with a running example
if my login is on it assign a token, and if any resource i need through 'get' method then header always pushing with token. This is normal API works in. normally we are using this in mobile app (local storage) and same react app(location storage)
if you want a video with a example i can show you my laravel api as a back end and your api example.
devansh-webkul
commented
3 years ago Hi there,
I think you misunderstood me. Please check this doc, https://devdocs.bagisto.com/1.x/api/getting-started-with-the-api.html#jwt-authentication
wontone18
commented
3 years ago Hi there,
I think you misunderstood me. Please check this doc, https://devdocs.bagisto.com/1.x/api/getting-started-with-the-api.html#jwt-authentication
devansh i am not misunderstood :) you. i already read that doc.
See how we do it in React and if you are a mobile app developer.
1 once the token you received from the api. we are only saving either token in session or in mobile app storage.
take a example below its a react code but back end api is laravel. i am not passing any thing in query or not even passing any thing in body. Laravel default checking the header bearer token if its not then token variable (this is not a best approach).
axios.get(Config.API_INVOICe_LIST,
{
headers: {
"content-type": "application/json",
"Authorization": "Bearer "+api_token
},
})
.then(function (response) {
var responsedata=JSON.parse(JSON.stringify(response));
// setPost(responsedata.data);
setstate({
...state,
data : responsedata.data
})
})
.catch(function (error) {
// handle error
console.log(error);
})
.then(function () {
// always executed
});But in your case token should be by pass through body but including header also. if body token is also wrong then also it giving a result because header is by pass through token.
go through this screen shot (1,2 and 3)
even in your document also mention things very correctly that we need to pass through header to get customer details. But they should also mention we have to pass variable token in body. But who ever made that doc he/she is correct about api. Thats how it works.
devansh-webkul
commented
3 years ago The expected behaviour of the token which is in the body is only for checking whether it is true or false. But in the code, if I am seeing, it is only checking that the body has the key token key, then it will activate the JWT guard,
We are using proper JWT protocol and the token is passing in the header. The token key which is in the body is for checking the guard.
You need to pass it like this,
Config.API_INVOICe_LIST + '?token=true'Currently, this is the default behaviour. We have given both options via. JWT and normal Laravel session. Maybe in future, we will remove the customer one but that needs to be discussed with the team.
wontone18
commented
3 years ago you are still not getting what i am saying :). i can easily understand you are having check for token request()->has('token').
i am saying i can pass anything even token = false anything it will works fine reason because i am passing token through header.
?token=hellowen i passed this instead token=true. and it also works fine because header having a bearer token.
Config.API_INVOICe_LIST + '?token=true' this approach is wrong. we should not use query string in api.
https://www.fullcontact.com/blog/2016/04/29/never-put-secrets-urls-query-parameters/ (never put secret in API)
devansh-webkul
commented
3 years ago But in the code, if I am seeing, it is only checking that the body has the key token key, then it will activate the JWT guard,
I already told you about that, It will get activated when it is found the key and I am agreed with you. But in the query params, we are not sending any secret keys.
Config.API_INVOICe_LIST -> Session Guard Config.API_INVOICe_LIST + '?token=true' -> JWT Guard
Only one thing i can do is to restrict the parsing of the boolean key with true and false only.
devansh-webkul
commented
3 years ago Moreover, I will discuss this with the team and try to give JWT only.
wontone18
commented
3 years ago
But in the code, if I am seeing, it is only checking that the body has the key token key, then it will activate the JWT guard,I already told you about that, It will get activated when it is found the key and I am agreed with you. But in the query params, we are not sending any secret keys.
Config.API_INVOICe_LIST -> Session Guard Config.API_INVOICe_LIST + '?token=true' -> JWT Guard
Only one thing i can do is to restrict the parsing of the boolean key with
trueandfalseonly.
that good restrict only with true and false that i am saying in the above. But with JSON body not with query
devansh-webkul
commented
3 years ago Alright, I am closing this. Currently, you can use it like this ?token=true for JWT guard and without token for session guard. We will enhance this in the upcoming version.
Hi
I have noticed some thing in bagisto API that if a user authenticated and having a token id. Then when we are going to access its customer or profile details then Header details are correct but it need one token variable pass through the body also. If we are not passing this token variable then it giving a error "customer login" in postman.
https://prnt.sc/1renzjb
https://prnt.sc/1reo263
normally if the customer detail fetching after the authentication from user via route "GET" then that need header not any body variable "token"