-1

I want to create api for my project. But I will consume this api in this repository as a spa and in mobile app. How can I protect my web routes via jwt?

Emfor Projects
  • 3
  • 2

2 Answers2

1

you don't have to use JWT token. Laravel has a api protect package. check this https://laravel.com/docs/8.x/sanctum

if you want still use jwt token, you can use with laravel sanctum but laravel never recommends this. jwt is no longer a secure token algorithm.

Berat
  • 98
  • 1
  • 8
  • "jwt is no longer a secure token algorithm" - in what way is this true? – gboone Sep 10 '22 at 01:08
  • you can search. jwt algorithm can now be broken. – Berat Sep 10 '22 at 05:14
  • Without a source for support the claim makes no sense because as JWT have a signing algorithm option, it can be set to none or may be also an outdated insecure encryption method, or can be a secure method. But the server side can force a strong algorithm. When this is done JWT are secure and cannot be broken. It's not accurate to state that all JWT can be broken. It's like saying passwords are no longer secure. – gboone Sep 11 '22 at 11:34
  • See https://stackoverflow.com/questions/37041699/how-secure-is-jwt#37041956 – gboone Sep 11 '22 at 11:35
  • oh yes, passwords are no longer secure. That's why Apple, Microsoft and Google are developing Passkeys. see: https://developer.apple.com/passkeys/ – Berat Sep 12 '22 at 16:38
  • But Sanctum not support "Remember me" like jwt token. It like has global expiration – Bcktr Nov 21 '22 at 07:42
0

Laravel Passport (not Sanctum) is what you are looking for. It processes each request as Middleware and responds with a refresh token. This refresh token is long-lived and used to fetch a new short-lived token for a subsequent request. https://laravel.com/docs/9.x/passport#consuming-your-api-with-javascript

The use of the separate refresh token is handy for 3rd party apps that may make the next request in 4 months without user intervention. It allows a long expiration, and fine grained control of that expiration by user.

But, it's not handy when you want all users to have the same expiration or want to use just one step for authentication on each call while returning a refreshed token back to the user. For that you might want to consider https://github.com/panva/jose and review how to establish a secure JWT process. You could build your own authentication and Middleware to process the tokens. https://github.com/tymondesigns/jwt-auth can help guide you as well.

And make sure to force a secure encryption algorithm and use signing.

gboone
  • 93
  • 10