search

huwcarwyn / react-laravel-boilerplate

A Laravel REST API backend with React/Redux, hot module reloading in development and route-level code splitting
MIT License
172 stars 43 forks source link

Did you tried to separate the frontend in a different project? #9

Closed nicolasflorth closed 6 years ago

nicolasflorth commented 6 years ago

What would you make different if it will be to separate the frontend in a different project? I think X-CSRF-TOKEN is no more needed if axios is used with preflight on frontend. ...and I am a bit confused about how you use Passport (I came to your git specifically for this problem I have). I can't find where you set the Authorization header based on access_token from oauth/token, but I see that on Login, you use csrfToken as in `if($this->auth->attempt($loginInfo)) { $apiCookie = $this->cookie->make($this->auth->user()->getKey(), $csrfToken);

  return $this->response->success($this->repository->currentUser())->withCookie($apiCookie);
} `

Cheers!

huwcarwyn commented 6 years ago

So for this project I decided to create an API that my own project could consume, and I initially set out to authenticate my app with the API via the Oauth password grant type.

However, looking at this section of the Laravel docs told me that a much simpler way to do this would be to use the JWT identifier that Passport provides, and sending that cookie along with every request to the API.

The usual method of doing this that the docs describe is by wrapping your web routes in the CreateFreshApiToken middleware. This ensures that the laravel_token cookie is always set/refreshed. However this would require a full refresh between login/signup and visiting the app for the middleware to provide the token.

My solution was to look at how Passport creates this cookie internally, I found that it was done via the Laravel\Passport\ApiTokenCookieFactory class. So I inject this class into my LoginService and then return a 200 response with the laravel_token cookie created by this class to identify my user.

As for moving the front-end to a different project, I think you could still use this set-up as long as the production domain for the front-end and back-end are the same, since that would allow you to share the laravel_token cookie. You would still need the CSRF token as Passport requires this token to construct the JWT.

I have yet to implement a full Oauth service on this project, I will in the future but right now I want to focus on other aspects of the project.

huwcarwyn commented 6 years ago

Closing this but feel free to ask more here