Lumen - Non token-based authenthication?

0
votes

I trying to use lumen for the first time to create a restful backend service.

I'm used to working with laravel but with lumen I'm already stuck at the autentication. I can't find any tutorials on this.

I'm not even sure if my logic is secure for this. Bassically I receive a post request which contains an email and a password, then I want to check if the details are correct etc and authenticate the user.

I feel like I'm missing something, is this something that lumes comes with standard or will I need to rewrite the Auth service

2
phplaravellumen
With Lumen, auth is handled (generally) with tokens. So in your case, a post request should be made to the auth service to get a token, then each request after that would have that same token sent with it which would auth the request. However, as far as I know, none of this is built into Lumen out of the box. This is actually why I use the full Laravel framework even for API's unless I need something extremely thin. - Samsquanch

2 Answers

0
votes

It seems to be in the documentation you linked.

$this->app['auth']->viaRequest('api', function ($request) {
    // Return User or null...
});

The Request class is passed in to this function. You would need to grab the email and password out of it $request->get('email') and request->get('password'), check to make sure they are valid.

I'm not sure of the best way to do this with Lumen or how much is available so to make it easy, you could just do something like the following...

$this->app['auth']->viaRequest('api', function ($request) {

    $email = $request->get('email');
    $password = $request->get('password');
    $user = \DB::table('users')->where('email', $email)->first();

    // Invalid Email
    if ($user === null) {
        return null;
    }

    // Check if password matches
    if ( \Hash::check($user->password, $password) ) {
        return $user;
    }

    // Invalid password
    return null;
});

Keep in mind Lumen does not support session state you would need to pass in the email and password for every request. However, once it's setup, all you need to do in Lumen is use Auth::user() to grab the user.

You could also use jwt-auth which uses JSON Web Tokens which also makes it fairly easy and allows you to not pass emails and password around.

https://github.com/tymondesigns/jwt-auth

0
votes

For anyone who encounters this problem. This is how i solved it:

In the auth serviceProvider (boot method) you check if there is a authorization header present. If there is one, it should include a apiToken, witch you can validate and continue with the normal flow.

If there is no Authorization header present, you can check the request variable for a email and password. Validate the login, and on success you save a new apiToken. I returned this token to the frontend, and made a feature that handles all ajax request, to include this token in the header. I also implemented a function that handles every response in my frontend application witch checks for a 401, when its there redirect to the login page.

With this aproach, you can use both auth methods, and Auth::user() is available through your application. Just make sure the login page is not handled with the Auth middleware!