I just begin to explore Laravel's JWT Authorisation, I'd successfully install it on my Laravel 5.1 and authorize it and test via Postman.
Best Practice has come to my mind, I'd saw some post on stackoverflow regarding about JWT best practices, But I'm not sure currently am I doing it correctly my Laravel Application?
1. Refresh Token
Below are my config/jwt.php settings that follow this post's suggestion that on JWT's UX
'ttl' => 10080, //1week
'refresh_ttl' => 60, // 1 hours
2. Middleware
Is this the best way to wrap a simple JWT API middleware to have jwt auth & refresh middleware?
Route::group(['prefix' => 'api'], function()
{
Route::post('authenticate', 'AuthenticateController@authenticate');
Route::group(['middleware' => 'jwt.auth', 'jwt.refresh'], function() {
Route::resource('authenticate', 'AuthenticateController', ['only' => ['index']]);
Route::get('authenticate/user', 'AuthenticateController@getAuthenticatedUser');
Route::get('authenticate/logout', 'AuthenticateController@logout');
//Other api call that modify user's db....
Route::post('update_address/', 'otherAPIController@update_address');
Route::post('update_password/', 'otherAPIController@update_password');
Route::post('insert_other_stuff/', 'otherAPIController@insert_other_stuff');
});
});
3. Database
The best is not to heavy modify it default users database? below is my database structure
users :
- id,uuid,name,email,password,remember_token,created_at,updated_at
users_information :
- id,uuid,address,telephone,first_name,last_name,created_at,updated_at
or may be having
users_role :
- id,uuid,role_id,role_group,role_description,created_at,updated_at
is it good to separate user's tables and we query other information as we authorise JWT with the valid_token using user's uuid value?
