Home > Article > PHP Framework > Laravel development: How to implement API authentication using Laravel Sanctum?
With the popularity of RESTful APIs and the widespread use of applications, more and more applications require authentication and authorization of APIs, so API security has become an extremely important aspect in today's software development. Laravel Sanctum is a lightweight authentication system introduced out of the box with Laravel 7.0, which is designed to make API authentication simple and secure. In this article, we will introduce how to use Sanctum in Laravel to ensure API security.
Before we begin, we need to confirm that Laravel 7.0 version has been installed. Then we can use composer to install Laravel Sanctum dependencies:
composer require laravel/sanctum
After installing Sanctum, add the following code to the config/app.php
file:
'providers' => [ // ... LaravelSanctumSanctumServiceProvider::class, ], 'aliases' => [ //... 'Sanctum' => LaravelSanctumSanctum::class, ]
In this way, Laravel The application already uses the services and functions provided by Sanctum.
Next, before performing database migration, we need to set up Sanctum’s database tables. Larav lSanctum provides a personal_access_tokens
database table by default that contains the following fields:
id
: The unique identifier of the tokentokenable_type
: The class name of the model associated with the token tokenable_id
: The ID of the model associated with the token name
: The name of the token token
: The value of the API token abilities
: The authorization of the token Before creating the personal_access_tokens
table, we need to create the model relationship first. This can be done by registering the following in AuthServiceProvider
:
use LaravelSanctumSanctum; //... public function boot() { $this->registerPolicies(); Sanctum::ignoreMigrations(); Sanctum::actingAs( null, [ 'superuser' ]); }
Sanctum::ignoreMigrations()
is used to prevent Laravel from running the artisan migrate
command Execute Sanctum's database migration file. However, in most cases we just add it to the command of the database migration file. Sanctum::actingAs()
Also provides a development-only method that impersonates the user without user authentication.
Then we need to run the following command to create the personal_access_tokens
table:
php artisan migrate
Laravel Sanctum is We provide two ways to generate tokens for the API. One is the CreateToken
method, which can create one or more API tokens with optional names and granted permissions. Here we introduce the second method, which is to use the hasApiTokens()
function with the createToken()
function:
// use the HasApiTokens trait within your User Model use LaravelSanctumHasApiTokens; class User extends Authenticatable { use HasApiTokens, Notifiable; // ... } // create a Token with User ID and given Abilities $personalAccessToken = $user->createToken('API Token', ['server:get','server:post']);
Here we use in the user model HasApiTokens
Trait to implement API token functionality in the user model. We use the createToken
method to create an API token and specify an optional name and authorized permission key when creating the token.
With the API key in hand, we can inject it into every request for authentication. We can use sanctum
middleware in Laravel's routing file to protect the API route in order to verify the token in the request:
// A Group of API routes that require a valid Token Route::group(['middleware' => 'auth:sanctum'], function () { Route::get('/user', function (Request $request) { return $request->user(); }); });
In this code, we define a validation containing sanctum
Middleware routing group. A route group contains a route that only requires a valid Token to access.
Using Bearer
Token is the best way to send an API token via the HTTP Authorization
header Common methods. You can authorize the token by adding Authorization: Bearer {{$personalAccessToken->plainTextToken}}
to the request header:
curl -H "Authorization: Bearer xxxxx" http://example.com/api/user
Finally, we need to understand how to revoke API tokens. We can use the tokens()->delete()
function to delete all API tokens for a user, or use the revoke()
function to revoke a single API token:
$user->tokens()->delete(); $personalAccessToken->revoke();
Conclusion
Now we have successfully implemented Sanctum authentication to protect our API. Sanctum and Laravel provide simple yet powerful API authentication, which allows developers to focus on building powerful APIs and put the main focus on business logic. When using Sanctum, it is highly recommended that you carefully read the official documentation so that you can fully understand the API's authentication process and ensure the highest security for your application.
The above is the detailed content of Laravel development: How to implement API authentication using Laravel Sanctum?. For more information, please follow other related articles on the PHP Chinese website!