I'm refactoring my code to extract APIs from my Controllers.
Thing is in my APIs, it is common that I need to know what role has the user so that I can display correct data, so I need the user's data.
My First idea was to authenticate my API access with Basic Auth based on User / Password.
My first idea was to implement a filter an put all my APIs inside the same routes group.
Middleware looks like:
class simpleAuthMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
return Auth::onceBasic('email') ?: $next($request);
}
}
It worked, when executing a request, a basic auth popup came to bother me in middle of navigation.
Then, I tried to use Guzzle like that:
$response = $client->request('GET', '/tournaments', [
'auth' => [Auth::user()->email,
Auth::user()->password]
]);
I had some problem to implement it, as it work with uncrypted password, and I only have bcrypt password on my database. Besides, I also manage users coming from Socialite Authentication with Google / Facebook, and those users have no password.
Then I thought I could put a token for each user, and implement a token security for my API. But token is great to grant or not access to the API, but as for me, it should not be used to retrieve user data. Even if I choose a 256 char token, it exists the remote posibility than 2 user get the same token. Beside, it means I should make an extra query in each API call to get user info.
So what I need to do is:
- Have a secure way to both autenticate User in my web app and APIs acces
- Have access to Auth::user() inside APIs
What I need is simple stuff, problem doesn't seem too complicated. I saw that Laravel Spark will handle JWT, so I will try to wait till Spark get release. For the meanwhile, any idea how should I do it?
