Maria_Gavrilova2019-08-27 19:28:46
Maria_Gavrilova, 2019-08-27 19:28:46

API authentication controller in laravel?

Hello. I am writing a laravel passport based authentication api for a mobile app. Users do not have a password. They log in with an SMS code. First, they enter a phone number -> an SMS code is sent to them -> and then there is a login request (with an SMS code in the request body) to the following controller method:

public function login(Request $request, User $user)
        if ($request->get('phone_code') === $user->phone_code) {
            Auth::login($user, true);
            $token = $user->createToken($user->phone);

            return response()->json(["user" => auth()->user(), 'token_type' => 'Bearer', 'token' => $token->accessToken], 200);
        } else {
            return response()->json(["message" => "Wrong code"], 403);

This returns the access-token that will be sent in the headers on every request to the server. This token is valid for exactly one day in our system. In a day, it will become invalid and the user will have to request the code again by SMS. I wouldn't like it. At his first login, I would like to generate and give him a refresh token, which is valid for two weeks, in addition to the access token. And the next day, when the user's access token expires, he will not log out, and the application will send a request using a refresh token to get new tokens and he will remain logged in to the system and will already contact the server with a new access token. Actually the question is how to generate both an access token and a refresh token if the user does not have a password. Please tell me how can I achieve what I want?
And am I thinking right? After all, according to this scenario, mobile applications and spa applications allow users to stay in the system and not enter the password each time after the access token expires?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Alex Wells, 2019-08-27

And what about the password? I use a passport, there is no password in the application either (and even a username/email'a). They are not related.
Do as in the docks, it is not tied to a password.

Daria Motorina, 2019-08-27

According to the documentation, the concept is to give both access_token and refresh_token on the authorization endpoint, and when the current access_token is no longer valid, take the previously received refresh_token, make a request for a refresh endpoint and receive a new access_token. According to what data the user received his very first access_token and refresh_token is purely a matter of the authorization architecture of this particular application.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question