search

tappleby / laravel-auth-token

Hooks into the laravel auth module and provides an auth token upon success. This token is really only secure in https environment. This main purpose for this module was to provide an auth token to javascript web app which could be used to identify users on api calls.
MIT License
255 stars 64 forks source link

Laravel + tappleby auth token package - Separate controllers? #54

Open tjmahaffey opened 9 years ago

tjmahaffey commented 9 years ago

I'm building a Laravel app which also includes an API. I'd like to extend the default Laravel auth scheme to allow api access via tokens. Same auth structure, but two vehicles: api users validated via tokens, web app users validated via Laravel's default auth scheme.

I have a SessionController which I use to login and log out for web app users:

<?php

class SessionController extends \BaseController {

public function create() {

    if (Auth::check()) {
        return Redirect::to('/post/dashboard');
    }
    return View::make('sessions.create');

}

public function store() {

    if ( Auth::attempt(Input::only('username', 'password')) ) {
        return Redirect::to('/post/dashboard');
    } else {

        return Redirect::to('/login')->with('error', 'Failed Auth.');
    }

}

public function destroy() {

    Auth::logout();
    return Redirect::route('login');
}

}

Is it preferred that the api users go through a wholly separate controller for authentication in order to generate and validate tokens? Or can I somehow add the tappleby auth token stuff inside my existing SessionsController and have it serve both purposes? I'm interested in best practices here.

anuragrath commented 9 years ago

Any reply on this would help? Still its not clear on how both can co-exist?

@tjmahaffey Did you get anything in this regard?

Thanks,

tjmahaffey commented 9 years ago

I haven't come to any new information on this. Right now, I'm planning to create a separate controller for API authentication, though I don't think that's the right way to do it.

tappleby commented 9 years ago

Do you have more details on how API users are using your app vs "web users". Are they the same "session"?

If so you can generate a token using:

if(Auth::check()) {
  $authToken = AuthToken::create(Auth::user());
  $publicToken = AuthToken::publicToken($authToken);
}

When this library was originally designed it was mainly for authentication via Ajax using same "user session". Most users are now using the library for authentication on mobile apps. I hope to make the next version of this package better for that use cause, I had planned on this release a few months ago but it has unfortunately been delayed.

anuragrath commented 9 years ago

@tappleby Yes, we are also using along with mobile apps. If you can share some ideas, around how you plan to handle the session & Auth facade for the mobile app.

tappleby commented 9 years ago

To simplify things I would recommend a separate controller for tokens, you can use the default controller included in the package for basic use: https://github.com/tappleby/laravel-auth-token#the-controller

The alternative would included updating the session controller to check if the request accepts JSON if(Request::wantsJson() || Request::ajax()) and return a token instead of a redirect (same for errors too).