Request token on API using Laravel Passport

JBA
February 21, 2023
274 views
1 vote
2 Answers

I am creating a login feature using Laravel Passport. Can I use auth()->id() without sending the bearer token on the Authorization header? If I put the token on header everyone can see it on the browser Network and it is not safe what is the other option?

This is my login controller API

    public function login(Request $request)
    {
        $data = [
            'email' => $request->email,
            'password' => $request->password
        ];

        if (auth()->attempt($data)) {
            $token = auth()->user()->createToken('WebAppToken')->accessToken;
            return response()->json([
                'token' => $token
            ], 200);
        } else {
            return response()->json(['error' => 'Unauthorized'], 401);
        }
    }

This is my userInfo controller API

    public function userInfo()
    {
        $user = User::where('id', auth()->id())->first();

        return response()->json([
            'user' => $user
        ], 200);
    }

Answers

- PatrickN
- February 21, 2023 at 12:57 pm
- 0 votes
0
Sending the token via headers is the convenient way. The token will be viewable on the browser network. Additional security measures such as setting a shorter life span of the token may help. On logout, correctly destroy the token and it will be blacklisted – hence, won’t be granted access to anyone holding it.

Login or Signup to reply.

- Parth_009
- February 23, 2023 at 6:08 am
- 0 votes
0
Without providing the bearer token on the Authorization header, we cannot utilise auth()->id(), and if we pass it on the request header, it will also be visible on the browser network. I believe you should reduce the token’s lifespan.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.