Guard for access token for clients without user_id

[yushkevichv]

Hi!

I found similar old discussion by link https://stackoverflow.com/questions/44145080/laravel-passport-get-client-id-by-access-token, but I cannot find in-box resolution.

What about auth clients for guest users?

For example, I have ecommerce mobile app, in which users can add products in their personal basket both auth and guest. If user was auth, I can use guard and know more information about it. It is great. But what about guest? At now for guest I use https://laravel.com/docs/5.8/passport#implicit-grant-tokens. It is also ok, I can create client by uuid device and generate unique access token for it. In my Cart model I use client_id filed to relate it. At now I use workaround with adding custom variable client_id in middleware. And I cannot use some Auth or Guard methods.

I cannot find, how I can authorize client by guard. Also, I have dirty tests for it with mocks, because I cannot use ActingAs($clientId).

I learn about https://laravel.com/docs/5.8/authentication#the-authenticatable-contract, but it is not for this case. I cannot realize this interface for Laravel\Passport\Client and I think it is wrong way.

How I should work with middleware auth and guard for clients? Maybe exists other way or workaround?

[driesvints]

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

• Laracasts Forums
• Laravel.io Forums
• StackOverflow
• Discord
• Larachat
• IRC

Thanks!

[yushkevichv]

@driesvints It was feature request for guard for Auth for client without user. At now Laravel Passport haven't this feature.

When I write issue, I choose feature request. What's wrong?

[driesvints]

Ah, the way you asked your questions seemed to me that you were asking on how to do a certain something.

At the moment we don't support guest users and this makes little sense to me for something like Passport/OAuth2 which sole purpose to authenticate a user. So I don't think this is something we'd consider supporting, sorry.

[driesvints]

Here's some more info btw. Maybe the client credentials grant is the closest thing you're looking for? https://stackoverflow.com/questions/37203307/oauth-for-anonymous-users

[yushkevichv]

@driesvints Ok. But you support implicit grant tokens. I think, it should be used for this reason.

I auth app request by token, but at now it is very dirty. At middleware I use something this:

try {
            $bearerToken=$request->bearerToken();
            $tokenId= (new \Lcobucci\JWT\Parser())->parse($bearerToken)->getHeader('jti');
            $token = \Laravel\Passport\Token::findOrFail($tokenId);
        }
        catch (\Exception  $e) {
            return response('Unauthenticated', 401);
        }

        $request->token = $token ?? null;

        return $next($request);

And in every controller get client_id by $request->token->client_id. I create some service with method

public function getClientId(\Illuminate\Http\Request $request)
    {
        return $request->token->client_id ?? null;
    }

and mock it for testing. But I think, it is bad.

At now your migration with clients have nullable field with user_id. And I think, it is really case. So, I think, that will be great, if I can auth client by guard.

[yushkevichv]

If you are not planning to support this, that are you say about PR?

[driesvints]

I'm sorry but at the moment I don't see a use case for this. If more people would be requesting this then we could maybe reconsider.

[yushkevichv]

Simplest example - ecom mobile app. Useful use case: User download app and start use it. He put some products at basket and checkout. Also, He can use fast order without register (simpler way for user) or register for participation at same program loyalty for example. In this case, we can work with basket with different guest users and register they after checkout, if needed. I don't think, that it is single case in mobile apps.

In your case, We impose a restriction and don't allow use fast-order or use basket without auth.

Or maybe exist some more beautiful workaround for this case?

[i3oyd]

I don't understand why is this not existing in laravel. This feature is just mimicking the same functionality of laravel in browser with the CSRF token and create session for guest users. The problem in mobile application is you run into cross-site restriction so you have to use the api route but it comes with another problem, it doesn't create a session. There's no way laravel knows what type of user is using the site or who is the user. Therefore, you use laravel passport to mitigate this problem but it created another problem, it's hard to implement it for users that doesn't login or the guest users. I think the only way to go about this is to add functionality to the existing laravel passport as what @yushkevichv have stated.