Laravel Sanctum API Token Security

Question

Hello great people of SO!

I hope you all have a great day!

First of all, I'm new to SPA, and I'm sorry if my english is bad But I will try my best to explain what issue I have right now

I'm creating a simple SPA that use Sanctum API Token as Authentication and Vue as Front

After creating simple Auth mechanism (such: Route guard, errors, etc) of this SPA, a simple thought comes to my mind

What if I copy a token, then insert it to another browser, will the server Authenticate me?

Steps to produce:

• First, I login to Brave browser, and server return the Authorization token, the token stored inside Brave localStorage, and Front-end part redirect me to '/home' route, everything works normal like simple authentication

• Then, I opened Firefox browser, I put token and token_value inside localStorage, which I got before from logging in with Brave browser

• I visited '/home' route, which is only for Authenticated users, and the server accept me.

I cannot find in documentation about this matter

How to solve this matter?

Answer 1

The Laravel docs state, "You should not use API tokens to authenticate your own first-party SPA. Instead, use Sanctum's built-in SPA authentication features".

You might want to read more between Tokens and Cookies for authentication here. Token Authentication vs. Cookies

You would be authenticated anytime you send a request with a valid token. Doesn't matter which browser. It works on any medium that is able to make a request.

If it's a SPA, use Sanctum SPA authentication mechanisms.

Not sure if this answers your questions.