I am creating a login feature using Laravel Passport. Can I use auth()->id()
without sending the bearer token on the Authorization header? If I put the token on header everyone can see it on the browser Network
and it is not safe what is the other option?
This is my login controller API
public function login(Request $request)
{
$data = [
'email' => $request->email,
'password' => $request->password
];
if (auth()->attempt($data)) {
$token = auth()->user()->createToken('WebAppToken')->accessToken;
return response()->json([
'token' => $token
], 200);
} else {
return response()->json(['error' => 'Unauthorized'], 401);
}
}
This is my userInfo controller API
public function userInfo()
{
$user = User::where('id', auth()->id())->first();
return response()->json([
'user' => $user
], 200);
}
2
Answers
Sending the token via headers is the convenient way. The token will be viewable on the browser network. Additional security measures such as setting a shorter life span of the token may help. On logout, correctly destroy the token and it will be blacklisted – hence, won’t be granted access to anyone holding it.
Without providing the bearer token on the Authorization header, we cannot utilise auth()->id(), and if we pass it on the request header, it will also be visible on the browser network. I believe you should reduce the token’s lifespan.