I am trying to figure out how to handle the Password Grant Tokens in Passport package. Should i store the client_id and client_secret in .env file or fetch the values direct from the database while requesting for a the token?
8
votes
2 Answers
4
votes
It depends on what you are finally trying to achieve.
Passport tokens are always stored in DB, and this is the right place to retrieve them (unless you are optimizing your production app, to gain less db load).
So, if you want to build an api endpoint, you can safely store PASSPORT_CLIENT_ID in your .env.
And then, in your controller, you can easily retrieve all data that you may need.
How to do it? Please read my post, on how you can embed this in your laravel controller.
Passport is built on top of oauth2 server which has loads of features.
Most likely you won't need them all, so you can stick to the basic jwt authorization as in this case.
This approach would enable you to test your code against different CI environments, while not sharing any specific keys/tokens in your VCS, which is definitely a good practice.
Final note... Passport makes packages like dingo, tymon jwt, etc.. useless, cause it has almost everything packed in, and what really important is, this is the official Laravel package.
1
votes
While you certainly can store the values inside your .env file, you should think these tokens as secrets you grant to other developers who want to use your API. What if everyday 50 developers want to register to use your API, will you add them by hand to your .env file? If it's only you / your company this kan be "ok", but I would store them in the database for scalability.
