search

laravel / sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.
https://laravel.com/docs/sanctum
MIT License
2.76k stars 298 forks source link

Isssue Token #114

Closed espositodaniele closed 4 years ago

espositodaniele commented 4 years ago

Description:

To protect routes so that all incoming requests must be authenticated, you should attach the sanctum authentication guard to your API routes within your routes/api.php file. This guard will ensure that incoming requests are authenticated as either a stateful authenticated requests from your SPA or contain a valid API token header if the request is from a third party

Steps To Reproduce:

I have created a token. This token is for a third party application build with vue CLI I added the token in as: axios.defaults.headers.common['Authorization'] I created a Token Abilities to check if the user can store data.

Now i'm wondering if the is any security issue. I've attached the token to the header of axios is like giving it to public, so everyone can access to it just opening the console. Is that secure? Maybe I've done something worng.

Thanks in advice.

clugg commented 4 years ago

Now i'm wondering if the is any security issue. I've attached the token to the header of axios is like giving it to public, so everyone can access to it just opening the console. Is that secure? Maybe I've done something worng.

Assuming your backend is set up in such a way that users cannot do anything that they shouldn't be able to do, them having access to their own auth token is not an issue. This goes for any website - if you are logged in, you are able to make authenticated requests from the console - there is no inherent issue here unless your backend authorization (roles/permissions) are not up to standard.

espositodaniele commented 4 years ago

Hello @clugg

Think of it as github tokens, I'm giving the ability to the user to create their token to use elsewhere in other apps to communicate with their backend. This means that a user can place their tokens is any third-party application. The scope of this is token is to place it in a static site inside a form to capture contact and give them the ability to have one place to manage them.

This token they have has only the ability to post one route and store their contact coming from statics sites, also I've added an ability to it like the documentation suggests and then check with tokenCan.

There is no other access to the application possible with that token. But I was wondering if it is correct to use it like this or there will be some vulnerability to my apps for security issue.

nanaaikinson24 commented 4 years ago

Can sanctum be used without auth scaffold?

driesvints commented 4 years ago

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.