Auth-module: laravel passport example

Here is a repo of a basic setup. There is a lot I'd like to improve but it might give you a basic idea of where to start.

Nice stuff @jmschneider! You can make a PR to officially point to your starter example in the recipes section 😊

@pi0 I tried to take a little further and created a provider for Laravel Passport. I think the initial solution in that repo would actually end up exposing the client secrets on the client side.

Hey @jmschneider! Thanks for your repo, but it left me a bit confused :P! Don't the password_grant and password_grant_custom schemes publicly expose the client_secret, therefore creating a massive security risk? I am able to see the secret in the source code in /dist after running nuxt build. <-- EDIT: just seen you've mentioned that ;).

I've also tried the laravel.passport provider on my static PWA hosted on S3, but the problem is that upon my API returning the code, the Auth module attempts to make a post request to _auth/oauth/laravel.passport/authorize, but S3 can't support POST requests and there is no directory like _auth in the dist after running nuxt build.

How can I authenticate a static PWA with an API using Laravel Passport?

Hey @mwargan,

You are correct, in the final implementation of the laravel.passport provider it sends the request to the Nuxt server to attach the client secret and proxy it on to Laravel Passport. I think you might be able to do something with an implicit grant token in order to authenticate without a client secret. I don't remember exactly how you would set up the Nuxt auth side of things.

There are also some additional options you can override in the settings you can see here. I believe the authorization_endpoint option is setting where the initial request goes. Changing that to point directly to the Laravel Passport endpoint might work.

Ahh - I was thinking this was a case for an Implicant Grant Token. Are you saying I could do this using the laravel.passport provider? Could you throw together a very simple/quick example?

So no way to use a Password Grant in this case?...

Edit: here's what I've done:

'laravel.passport.custom': {
        _scheme: "oauth2",
        url: process.env.LARAVEL_ENDPOINT,
        client_id: process.env.PASSPORT_CLIENT_ID,
        authorization_endpoint: process.env.LARAVEL_ENDPOINT+"/oauth/authorize",
        response_type: "token",
        userinfo_endpoint: process.env.LARAVEL_ENDPOINT+"/api/v1/me",
        scope: '*',
      }

It kinda works - when the access_token is returned its for some reason appended to the url after a #. When deleting the # and everything after it and refreshing the page the user is now logged in. <-- this may be a caching issue on my part actually.

So no way to use password grant on static client pwa?

There are some ideas here on how to use a local/proxied API call (in order to not expose client secret).

https://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/

nuxt.config.js

{
auth: {
    login: '/login',
    logout: '/',
    strategies: {
      local: {
        endpoints: {
          login: {url: '/api/auth/login', method: 'post', propertyName: 'access_token'},
          logout: {url: '/api/auth/logout', method: 'post', },
          user: {url: '/api/auth/user', method: 'get', propertyName: 'user'},
        },
        tokenRequired: true,
        tokenType: 'Bearer',
      },
    }
}

tokenType is case-sensitive and should be Bearer. Check this Illuminate trait where it looks for Bearer.

And in your controllers/services, you can have similar code:

Route::post('auth/login', function(Request $request) {
    $cred = $request->only('email', 'password');

    if (auth()->attempt($cred)) {

        auth()->user()->tokens()->delete();
        $token = auth()->user()->createToken('SPA');

        return response()->json([
            'access_token' => $token->accessToken,
        ]);
    }

    return response()->json(['Unauthorized.'], \Illuminate\Http\Response::HTTP_UNAUTHORIZED);
});

Route::group(['middleware' => 'auth:api'], function() {
    Route::get('auth/user', function(Request $request) {
        return auth()->user();
    });
});

Really need this too, if anyone can point out an end-to-end example using Laravel passport that would be helpful. @mwargan did you figure out how to do this?

@connecteev Check my previous post. This is how you would do it with Passport. I wrote a small Medium article: https://medium.com/@shafiqalshaar/laravel-passport-nuxt-auth-the-simple-way-da302add5151 however, it's not really utilizing a JWT token with payload and/or expiry.

@spacemudd thanks..do you know how to do auth for social login + laravel passport? It would use the authorization code grant I believe.

Why is this so tough?
Most examples are mountains of code and still end up exposing the client-secret.

I would think that Laravel Passport + Nuxt would be a super common way of doing things.

Has anyone made any more progress?

Closing here, as docs already have laravel passport provider.

Demo code: nuxt.config.js and laravel-auth repo