Laravel 4 + Sentry 2 as Web service

Question

My question is how do I use laravel 4 with sentry 2 to authenticate users that is calling my API? What are the proper ways in doing this?

Example: a user in native iOS app calls my Laravel Web service (returns JSON response), how can laravel+sentry authenticate the user?

Thanks in advance and comment if you need more info.

Answer 1

If the client is able to persist cookies, you just login with Sentry and it should work. Otherwise, after a common Sentry authentication, create and store an authentication token in your users table:

$table->string('api_token',96)->nullable();

Then use it in all other calls:

{
    "token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099",
    "user": {
        "id": "3",
        "email": "joe@doe.com",
        "permissions": [],
        "activated": true,
        "activated_at": null,
        "last_login": "2014-03-08 11:17:48",
        "first_name": null,
        "last_name": null,
        "created_at": "2014-03-08 10:29:08",
        "updated_at": "2014-03-08 11:17:48",
        "api_token": "a358dafd256cb5b26a944eacc1c7428a97f6d1e079c3f1972696f1bea7fff099"
    }
}

An article about this: http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry

Answer 2

Like mentioned by Antonio, if the client is able to persist cookies you should be set to go.

But,I will tell you my research on this topic. I looked for API Token Implementation with Laravel. One I could find was by Terry Appleby and his implementation is a composer package with name tappleby/laravel-auth-token. I implemented a much simpler version of the package using Sentry 2 at http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry.

I called it a dirty one because I didn't consider much about security, expiration of tokens etc., but to answer your question, the above version does work and it is not secure unless you are in https environment.

To help you more I suggest github.com/kippt/api-documentation. It is the API Documentation for an app called kippt.com. I picked this one because it is really simple and could be a starting point if you are new to developing APIs. See how they support different kinds of authentication. To summarize on what Kippt supports: Browser Session (I am guessing iOS does support cookies), HTTP Basic Auth (Pass username and password every time in the header) and Token (Pass a token in header of every request). On Token implementation of Kippt, it just returns a token to the client after a successful authentication and one can save and use that token. That token never changes. In my blog post, I create a new token every time user logs in.

Hope I could help.