Laravel auth by generated token without passport and jwt

1
votes

I'm trying to do api-auth by checking generated token from the logged-in user's username with md5 encryption method on the fly in laravel 5.5, and don't want to save the token into the users' table. When the user logs out the token will be invalid. The URL will be like this:

http://myserver.com/products?token=......

How can I do this?

Added - It is a test project from 44th world skills competition and following is from the test project document:

  1. Authentication

a. Login (v1/auth/login)

Description: For client to get login token via username and password

Request method: POST

Header: header authorization basic

Requested parameter:

  • Body:

o Username

o password

Response result:

  • If success,

o header: response status: 200

o body:

 token`: authorization token (to be valid until logout). Token will be generated by the system from logged in username with md5 encryption method

 Role (ADMIN / USER)

  • If username/password not correct or empty,

o header: response status: 401

o body: message: invalid login

b. Logout (v1/auth/logout?token={AUTHORIZATION_TOKEN})

Description: For server to invalid the user’s token

Request method: GET

Header: header authorization basic

Response result:

  • If success,

o header: response status: 200

o body:

 message: logout success

  • If unauthorized user access it,

data:

o Message: Unauthorized user

o Response status: 401

  1. Place

a. All Places (v1/place?token={AUTHORIZATION_TOKEN})

Description: For client to list all places in the database (include user’s search history indexed based on the frequency)

Request method: GET

Header: header authorization basic

Response result:

body:

o All data on array; consists of id, name, latitude, longitude, x, y, image_path, description.

o Response status: 200

  • If unauthorized user access it,

data:

o Message: Unauthorized user

o Response status: 401

...

3
phplaravelapiauthenticationtoken
md5 is not an encryption method, and this sounds awfully unsafe.Khoon
It is just a test project in 44th World Skills Competition...not a real one.Artman Tao
I would really like to know in pseudo code what are you trying to do...how can you log in if there is nothing saved...you need to have a token in DB in order to compare it with the one that user is using to log in... can you explain it better?lewis4u
Thanks lewis4u, user will log in through a restful api, if succeed client will get the token which generated in the server side and save it in the client side. The token will be invalid as soon as the user log out. I think the session object has to be used in the server side to store the token, or?Artman Tao

3 Answers

1
votes

you can create your own middleware and inside that middleware specify the role for the user and use your own token creation or you can use jwt with it and the jwt is better for unsave the token in database

0
votes

The project is just for competition -- I solved the problem as following:

  1. The user logs in by send username & password to the sever;

  2. If success the server save the md5 code of the username to the session and return the code to the client;

  3. The client save the md5 code into local storage as the token, it will be send to the server by subsequent requests;

  4. The server verifies the token to decide whether the client can access its resources.

That's it! Just for competition, not for production.

0
votes

you can create token api and gave it cron job or sessions and besides that you can do the reset and without saving it to the database just like jwt but you work on it and do it by your hand