Setting up API Token based Authentication in Laravel 5
Web technologies are growing and changing day by day. Static Web Page’s evolved to interactive Web Applications. But those are old too. This time is for “Mobile Application” and “Single Page Web Application”. Technologies evolved in the same manner. While building a modern Single Page Web Application or Mobile Application, RESTful API is the most common technique. In the simplest manner, the idea is that you will create some URLs requesting which another application can browse and update data. This is how each of your mobile application works. They browse some URL. GETs data from the server or POSTs data to the server.
But, what about security? Surely you don’t want everyone to browse the URLs and get the data. This is why API token is introduced. Every user is assigned a random fairly long string. He can access it by providing the username and password or other credentials. Later, he will just assign this API token to each of this requests and use this, the server will do the authentication.
Let’s implement this with Laravel. It is assumed that You are familiar with Migration, Middleware, and Routing.
In your user’s table migration, add an extra string column named ‘api_token’ with fairly long length. 64 is long enough.
// add this to your users_table migration
Assigning API Tokens
Then each time while creating a user, an API token must be assigned. To do this, open AppHttpControllersAuthRegisterController.php. Inside the create method, add the following key value pair to the array passed to User::create method.
'api_token' => str_random(64),
Add Middleware to Route
Then auth:api should be attached to each route using API authentication.
Note: By default, Laravel uses web authentication which uses session to authenticate user. ‘auth:api’ will tell Laravel to use API authentication using the provided token.
To retrieve the user from token the following code snippet can be used.
Adding Token to Request
Adding token to request is easy enough. If http://abc.com/api is your URL, then just add ?api_token=your_api_token to the end of the URL where your_api_token is the API token assigned to the user. Finally, it will look something like this
Note: For the sake of security, it is better to send api_token as POST variable rather than GET.
Less Necessary Customization
You are already all set. But, surely it is tiresome to remind Laravel every time to use API token authentication. To avoid it change the default guard in config/auth.php to ‘api’.
Alternatively, you can use a Route group to assign auth:api middleware to a bunch of routes.