Core: Best way to have API Auth [question]

@Nigeltiany Just make sure to format questions as per specs define here https://guides.github.com/features/mastering-markdown/.

Next, I don't understand why are you using Basic Auth + API Auth together?

@thetutlage What would be a better way to do it?

1. Does sending a post request to a route that has the method

javascript const isLoggedIn = yield request.auth.check()

check the database for username and password from the request?

1. Does api config section in config/auth.js allow setting different fields to be used for authentication with the auth.check() function?

I used basic auth to check if a user credentials exist, the api auth to assign a token, send it as a cookie then save it to the database.

You must only use one authentication technique to give access to restricted routes. When using basicAuth your customers will have to login, since basicAuth is stateless authentication.

Read this http://security.stackexchange.com/questions/755/how-does-basic-http-auth-work

In Adonis you can make use of the auth middleware

Route.group('api',function () {
  Route.resources('user','api/UserController');
}).prefix('/api/v1').middleware('auth:basic');

Now any request that does not have basic auth headers will be denied by the middleware itself. And authenticator will take care of validating the credentials for you.

Thanks, but i'm not there yet. Please indulge me.
I want API auth for my REST interface, for users that have provided a valid username and password.
After confirming a user credentials exist. I want to give them a token which they are supposed send back on every request enabling them to access the rest API.
How should i go about that with regard to AdonisJS and what's the better approach?

I already have

• A route that responds with a form for login,
• A post route that should handle the credentials from the login
• A route group called api with middleware('auth:api') and inside the group, my rest routes

Okay, you should render a login form where a user will enter their credentials and if their credentials are correct, you will return a response with the API token or JWT token, and then they can make use of that token for future requests.

Checkout this sample controller for same https://github.com/adonisjs/adonis-rally/blob/develop/app/Http/Controllers/UsersController.js

The login page will not use any authentication, since it needs to be publicly accessible.

Thank you very much @thetutlage
That clears the fog for me.

One more thing.
how best to redirect to a route with the acquired token in the request header?

@Nigeltiany response.redirect('location') can be used to redirect the request. Closing feel to open issues for specific issues 😄

Is it possible to revoke jwt tokens. Where are they currently stored?

I'm with this same doubt.

Where is a jwt tokens they stored, As for Local Storage I already know, I refer to the database!

JWT tokens are not stored. Read more about JWT in the official page. JWT tokens are created with user information on the token payload, and expiration date. You then set that token to the front end as a cookie OR on the payload and save it on localStorage. If you want to check to which user that token belongs to, you can encode the token with some user specific data and decode it and you will get that users data

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.