Closed wolfiton closed 4 years ago
Hi @wolfiton this is a bit out of the scope for this library I believe.
However since we use the Laravel authentication guards someone would have to implement a Paseto guard: https://laravel.com/docs/7.x/authentication#adding-custom-guards.
This will not be part of the Lighthouse and also would not be specific for Lighthouse.
I see you posted this request on many places :)
The Lumen API starter you linked shows how to implement a Paseto guard you can then use with Ligthouse: https://lighthouse-php.com/4.12/security/authentication.html#global.
Unfortunately, you don't understand how paseto works. It is not another JWT paseto will create short lived tokens for users and changed them using the events that happen in the api or user actions.
Please watch the video to understand what paseto is and why jwt is dangerous!!! and repopen this request because it is a major security problem.
Thank you
Hi Wolfiton, Lighthouse does not implement JWT (or Paseto or cookies or any other authentication) we rely on the Laravel Authentication Guards so I'm not a 100% sure where Lighthouse (the project you opened an issue on) advertises JWT or implements JWT?
Sorry but I don't understand how you can use Graphql directly with Laravel without a frontend spa or ssr without using jwt or passeto?
What auth method is there?
Thanks in advance for the explanations or clarifications on this.
There are many authentication methods you can use, you can even use session based authentication (like a web request would using cookies) or use Laravel Passport for full oAuth 2 support or Laravel Sanctum for token based auth.
It's all changeable by configurating guards in config/auth.php
as explained here: https://laravel.com/docs/7.x/authentication.
You can then set the guard to use in the Lighthouse configuration and your API is protected: https://github.com/nuwave/lighthouse/blob/master/src/lighthouse.php#L46-L58, read more about authentication in Lighthouse here: https://lighthouse-php.com/4.12/security/authentication.html.
But to be clear, Lighthouse uses the Laravel authentication, so any "guard" can be used, and that can implement any security specification from JWT to cookies to Paseto to oAuth. Ligthouse only is aware if the guard and if the user is authenticated not how that authentication took place.
Thanks that makes it clear now @stayallive
I would like to propose the implementation of paseto by default as an authentification method for Lighthouse graphql api's out of the box.
Or as an additional package like laravel php artisan make:auth
Reasons why paseto and not JWT can be found in this video by Randall Degges chief hacker at Okta https://www.youtube.com/watch?v=Ai7PVLl4Wng
Thank you in advance for looking over this request.