Laravel Passport get user Access Token after being issued

1
votes

I'm using Laravel Passport to issue Bearers to the user once it's logged in and then be able to connect to the API (yes I know Sanctum might fit better my needs but I'm using Passport so don't even mention to switch to Sanctum), then on the Front-end, I store the user email and the Bearer in a cookie to use them later on for other queries and add the bearer to Axios Auth header though now I have a problem with my logic, maybe related to the fact that I don't know how to use Passport correctly in Nuxt.

I have queries for each page where I send the user email in a post request and they return back a mix of global info and user info.

Yes, my endpoints are already behind an auth middleware but I just send a Bearer Token to allow the endpoint to be queried with any data, there is no prevention to ask for User B info from User A.

How can I use prevent the user to send a different email and get another user's info?

This is how I issue an access token:

$token    = $user->createToken('Laravel Password Grant Client')->accessToken;

there is a way to do something like this?

$user = User::where('email', $request->email)->first();
// E.g. user@mail.com  ...

// Get the user Access Token
$userToken    = $user->getAccessToken;
// E.g. someBerareText

// check if the User Access Token match with the one send in the request
// if they don't match throw a 401
if ($userToken !== $request->header('Authorization')) {
   return response()->json([ "error" => "Not Authorized" ], 401);
...

// E.g. $request->header('Authorization') it's SomeOtherBearer because he
// requested info for user@mail.com but the $request->header('Authorization')
// belong to otheruser@othermail.com

The user can still send the same request but with User B's email and see other info that doesn't belong to him, so how can I check if the email in the $request belongs to the user that's actually logged in?

some way to decode the access token and check if it really belongs to the user or not?

1
phplaravellaravel-passport
But the user you are fetching from auth::user will always belong to the token, what is the use case for this? or try to describe the problem further, why is this needed?mrhn
as I mentioned before every page in the front-end send the user email to get a mix or user's info and page related into, but that means that if user A sends a request for the same page but with user B email it will have User B info that's the problem. My middleware check if the request contains an authorization bearer but that doesn't prevent asking for info for another user. The idea's to get the user's Bearer, get the user's info and check if it matches the email sent in the requestSebastiano
But then User::where('email', $request->email)->first()->is(Auth::user()) not work checks your request email against the user authenticated? Auth::user is loaded excatly as you describe, thou it happens in the guard so not as easy to call when you need it.mrhn
I just added an example in the code to make it more clearSebastiano
also the FE it's completely separate from the BE, Laravel act only as an API, and the FE it's in Nuxt in a different containerSebastiano

1 Answers

0
votes

If Laravel Passport is set up as the guard, it will fetch the user from the bearer token, the logic can be seen in the TokenGuard.php class in Passport. It actually does the same as you want to achieve.

So the authentication works different compared to the guard used. Therefor Passport requires you to change the guard. This is the deciding factor how Laravel differentiate Authentication and for that matter how the Auth::user() is loaded.

'guards' => [
    ...

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

This means that you can check if the user is the correct authenticated with the model function is() that compare if the models are the same.

User::where('email', $request->email)->first()->is(Auth::user())