Home > Software design >  Does laravel sanctum only generate access_token?
Does laravel sanctum only generate access_token?

Time:05-09

I am trying to understand the basic flow of laravel sanctum in a SPA(vuejs) application. So far what I understood is:

#It creates a middleware for API authentication

#When a user attempts login, it generates the access_tokens and returns to the frontend. frontend then remembers this token number using it's frontend storages like localStorage(), sessionStorage() etc.

#When a user attempts logout, we simply delete the access_tokens from both frontend storage and the database table

Please correct me if I have missed something or made a mistake.

CodePudding user response:

Sanctum does not only authenticate with tokens but also does regular session authentication. The authentication method is automatically determined based on the request, if it comes from the same domain, authentication is done with cookie/session, if the request comes from a different domain or no session cookie is found tokens authentication is attempted.

Usually for an SPA app that is on your same domain there is no need of using tokens. Sanctum will simply use the standard authentication using cookies.

https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication

For this feature, Sanctum does not use tokens of any kind. Instead, Sanctum uses Laravel's built-in cookie based session authentication services.

In the case your frontend is on a different domain or on a mobile device, sanctum will check for the token in the headers of the request.

For using token authentication you need to issue tokens manually as explained here: https://laravel.com/docs/9.x/sanctum#issuing-mobile-api-tokens

Typically, you will make a request to the token endpoint from your mobile application's "login" screen. The endpoint will return the plain-text API token which may then be stored on the mobile device and used to make additional API requests

return $user->createToken($request->device_name)->plainTextToken

After you login, you store the token in the localStorage or local session, you need to include this token in the Authorization headers for mobile or 3rd party fronteds.

When the mobile application uses the token to make an API request to your application, it should pass the token in the Authorization header as a Bearer token.

Basically you don't need to care about tokens if your SPA is on your same domain. You just can keep using cookies and session.

If your frontend is mobile or on a different domain the preferred way is to use tokens and you need to call the login API manually and store the token response on localStorage or local session.

Note though that you actually don't even need to use tokens for 3rd party apps if you don't want. You could use cookies and session as well, however this could cause scaling issues because Laravel gives out a session cookie to everyone, guest or authenticated so your backend session such as redis will grow very fast for 3rd party apps/APIs. However with tokens it only generates them on login so the scale is much smaller.

  • Related