Laravel passport: increase "laravel_token" cookie expire time

1
votes

I have Laravel Passport implemented in my project and it is everything working well except the cookie expiration time where the tokens are being stored (that is just 1 hour).

My project consists in a backend Laravel 5.8 api (with Laravel Passport) that serves a front SPA app (Vue).

Users from my app can login successfully using a page with a Vue component that makes a POST request with the user credentials and, if the login is successfully done, users are redirected to a new URL (app home) - this redirection is a GET request that creates the "laravel_token" cookie - created by the CreateFreshApiToken middleware.

From now on, users can go everywhere inside the app and all data needed from the app components' is obtained through ajax calls (Laravel will note the presence of the cookie "laravel_token" in these ajax calls and will identify the logged in user using the JWT present in that cookie).

My problem is:

The "laravel_token" cookie that was created when user logged in was created with a lifetime of just 1 hour. Because this is a SPA, this cookie never gets updated (exchanged by a new one, with a new hour lifetime)... so, after 1 hour, when a new ajax request needs to be done to the backend Laravel server, it will receive an Unauthenticated response - that makes sense because "laravel_token" cookie is outdated.

How do you deal with this problem?

I know that i can refresh this cookie by perfoming a full refresh/reload of the page before this cookie expire but this is not a good solution in terms of user experience.

I can't make an ajax call to refresh this cookie because this is a SPA and i don't have the client_id and it's secret from client side... and also because not only this cookie is httponly but also it is encrypted by Laravel - so, i can't exchange it by a new one using JS.

Is the only solution increase the lifetime of this cookie (from 1 hour to.... 1 year, for example)? Do you see any problem with this? And where can i set this cookie expiration time? Does i need to extend the ApiTokenCookieFactory class?

I would like user to be logged in until he deliberately performs a logout request or the access_token expires (that, in my case that i am using Laravel Passport defaults, is a long-lived token of 1 year).

I would appreciate if someone could help me with this problem.

If you see something that i am not doing the correct way, i also would appreciate your comments with suggestions.

Thank you very much!

1
laravellaravel-passport
In your AuthServiceProvider, you can configure the lifetime of tokens (docs) - However I think utilising the refresh tokens would be a better approach. Are you using axios? If so, I've seen people using axios interceptors for handling 401 responses and refreshing the token. - senty
Thank you senty! However, in the AuthServiceProvider i can configure the lifetime of the tokens, not the lifetime of the cookie where the token is stored. I am using jQuery to make my ajax calls, not axios. I also saw some people using axios interceptors but it is not my case. However, if Laravel Passport uses a cookie to store the token and this cookie is encrypted by Laravel, how could i refresh this cookie from the browser side (with jquery or axios, it doesn't matter)? - Tiago Santos
I'm a big confused on your approach. So you are not using api to communicate with server - instead you are using sessions instead. Otherwise it'd be access_token rather than laravel_token. Which grant are you using for passport? Also what's your auth config in Laravel side? - senty
I am using api to communicate with server and "laravel_token" is the default cookie name used by Passport. It is defined in vendor/laravel/passport/src/Passport.php, in the property $cookie. My auth config is: 'web' => [ 'driver' => 'session', 'provider' => 'users', ], 'api' => [ 'driver' => 'passport', 'provider' => 'users', ] - Tiago Santos
It is in Laravel's documentation: "Typically, if you want to consume your API from your JavaScript application, you would need to manually send an access token to the application and pass it with each request to your application. However, Passport includes a middleware that can handle this for you. All you need to do is add the CreateFreshApiToken middleware to your web middleware group in your app/Http/Kernel.php file". - Tiago Santos

1 Answers

0
votes

According to ApiTokenCookieFactory an expiration time of laravel_token cookie is getting from session lifetime value. Well, just change value of SESSION_LIFETIME in .env