Anas Hussain

Posted on Jan 2

Laravel Authentication Using Passport

#laravel #authentication #php #api

Mastering Laravel Authentication with Passport: A Step-by-Step Guide

Authentication is a cornerstone of modern web applications. In Laravel, Passport provides a full OAuth2 server implementation, enabling API authentication seamlessly. This guide walks you through the entire process of setting up Laravel Passport, from installation to securing and testing your API.

Introduction

Why Use Laravel Passport?

Laravel Passport simplifies the complexities of OAuth2 authentication by integrating it tightly with Laravel's ecosystem. With Passport, you can:

Authenticate API users securely.
Generate personal access tokens for mobile and web clients.
Manage token expiration and revocation easily.

Prerequisites

Before diving in, ensure you have:

A basic understanding of Laravel.
A Laravel project (v10.x or later is recommended) installed and configured with a database.
PHP 8.0 or later installed.

If you don’t have a project set up, create one with:

composer create-project --prefer-dist laravel/laravel passport-auth
cd passport-auth

Step 1: Install Laravel Passport

Install the Package

Run the following command to add Passport to your project:

composer require laravel/passport

Publish and Migrate Passport Files

Publish the Passport migrations and configuration files:

php artisan vendor:publish --tag=passport-migrations
php artisan migrate

Step 2: Configure Laravel Passport

Install Encryption Keys and Clients

Run the installation command:

php artisan passport:install

This generates encryption keys and creates OAuth clients in your database. Make note of the output, especially the client IDs and secrets.

Optional: Create a Personal Access Client

To create a personal access client explicitly, run:

php artisan passport:client --personal

Step 3: Update the Model

Add the HasApiTokens trait to your user model:

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;

    // Other properties...
}

Step 4: Update Auth Configuration

Configure Passport as the driver for API guards in config/auth.php:

'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

Step 5: Register Passport Routes

In App\Providers\AppServiceProvider, load Passport's routes:

use Laravel\Passport\Passport;

public function boot(): void
{
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
    Passport::personalAccessTokensExpireIn(now()->addMonths(6));
}

Step 6: Build Authentication API Endpoints

Add Routes

Define API routes in routes/api.php:

use App\Http\Controllers\AuthController;

Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
Route::middleware('auth:api')->get('/user', [AuthController::class, 'user']);

Create the Authentication Controller

Implement authentication methods:

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use App\Models\User;

class AuthController extends Controller
{
    public function register(Request $request)
    {
        $request->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|string|email|max:255|unique:users',
            'password' => 'required|string|min:8',
        ]);

        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => bcrypt($request->password),
        ]);

        return response()->json([
            'token' => $user->createToken('API Token')->accessToken,
        ], 201);
    }

    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        if (!Auth::attempt($credentials)) {
            return response()->json(['message' => 'Invalid credentials'], 401);
        }

        return response()->json([
            'token' => Auth::user()->createToken('API Token')->accessToken,
        ]);
    }

    public function user()
    {
        return response()->json(Auth::user());
    }
}

Step 7: Set Permissions for Encryption Keys

Ensure secure access to Passport keys:

chmod 600 storage/oauth-private.key storage/oauth-public.key
chown www-data:www-data storage/oauth-private.key storage/oauth-public.key

Verify permissions:

ls -l storage/oauth-*.key

Expected output:

-rw------- 1 www-data www-data 1704 Jan  2 12:00 oauth-private.key
-rw------- 1 www-data www-data  800 Jan  2 12:00 oauth-public.key

Step 8: Test the API

Use Postman or any API client to test endpoints:

Register: Send a POST request to /register with name, email, and password.
Login: Send a POST request to /login with email and password.
Get User Data: Send a GET request to /user with the token in the Authorization header.

Best Practices

Use HTTPS in production.
Rotate encryption keys periodically.
Validate inputs thoroughly.
Limit token scopes for better security.

Conclusion

Congratulations! You've successfully implemented API authentication using Laravel Passport. This setup provides a robust foundation for securing your API. Explore advanced Passport features like scopes, token revocation, and client credentials to further enhance your application's security.

DEV Community