Laravel API Auth class usage

StackOverflow https://stackoverflow.com/questions/23649716

  •  22-07-2023
  •  | 
  •  

Question

Trying to build and API based on laravel that aims to grow to intense usage by lots of clients. My question is whether there are serious drawbacks of using Auth class in my code ? I have implemented the OAuth2 authorization, and to get info about the user that is making the request I have a filter : 

Route::filter('hasAccess', function($request)
{
        //get the cleaned token string
        $auth_code = Request::header('Authorization');
        $auth_code = trim(preg_replace('/Bearer/sui', "", $auth_code));
        //get the stored session and put the query in cache for 10 minutes
        $ts = DB::table('sessions as s')
                ->leftJoin('oauth_session_access_tokens as osat', 's.token', '=', 'osat.id')
                ->select('s.*')
                ->where('osat.access_token', '=', $auth_code)
                ->remember(10, $auth_code)
                ->first();
        //Auth user cross-app
        Auth::onceUsingId($ts->user);
        //Extract the requested action
        $request = $request->getAction();
        $request = $request['controller'];
        $parts = explode('@', $request);
        $required = strtolower($parts[0]).'.'.$parts[1];
        $required = preg_replace('/controller/sui', "", $required);
        //Get the permissions
        $permissions = json_decode($ts->permissions, true);
        $permissions = array_fetch($permissions,'name');
        if (!in_array($required,$permissions))
        {
            return Response::json([
                    'error' => true,
                    'dataset' => 'You don\'t have rights to access this url'
            ]);
        }



});

It validates the user access rights to the controller action, but the most interesting in it is the row with Auth::onceUsingId($ts->user);. This rows authorizez the user for only 1 request. Also if any other ways to get info about user exist, please mention them. Thanks

Was it helpful?

Solution

You talk about 'serious drawbacks' of using Auth class code - but you dont really explain drawbacks compared to what? Just manually looking in the database yourself for the user?

All the Auth::onceUsingId() is doing is logging your user into the application without a session or cookie. This is perfect for an API - as you dont normally have persistence between requests.

You can then do Auth::user() to get data about the user, such as Auth::user()->name.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top