Use of Laravel Passport in Front-back Separation Project

  question

Description:


After the user logs in at the front end, he obtainsaccess_token, save tolocalStorageIf the user logs off, it will be destroyed.localStoragehit the targetaccess_token. If the expiration time is 8 hours, it will be ataccess_tokenWithin the unexpired time, the user logs off and logs on many times, and still generates manyaccess_token, and are valid!

Question:


  1. How to set the expiration time reasonably?

  2. How to Ensure the Identity of UsersClient_idTheaccess_tokenOnly one is valid (not expired)?

  3. How to clean up expired or revokedaccess_token?

Method of clearing token through event monitoring:

Register events toEventServiceProviderIn, the code is as follows:

protected $listen = [
 'App\Events\SomeEvent' => [
 'App\Listeners\EventListener',
 ],
 'Laravel\Passport\Events\AccessTokenCreated' => [
 'App\Listeners\Auth\RevokeOldTokens',
 ],
 'Laravel\Passport\Events\RefreshTokenCreated' => [
 'App\Listeners\Auth\PruneOldTokens',
 ],
 ];

Then create a for the two eventsListener:

  • RevokeOldTokens:

/**
 * Handle the event.
 *
 * @param  AccessTokenCreated  $event
 * @return void
 */
 public function handle(AccessTokenCreated $event)
 bracket
 Token::where('id', '!  =', $event->tokenId)
 ->where('user_id', $event->userId)
 ->where('client_id', $event->clientId)
 ->where('expires_at', '<', Carbon::now())
 ->orWhere('revoked', true)
 ->delete();
 bracket
  • PruneOldTokens:

/**
 * Handle the event.
 *
 * @param  RefreshTokenCreated  $event
 * @return void
 */
 public function handle(RefreshTokenCreated $event)
 bracket
 DB::table('oauth_refresh_tokens')
 ->where('access_token_id', '!  =', $event->accessTokenId)
 ->where('revoked', true)->delete();
 bracket

Resolve the password authentication problem of logging in after logging out

Because the front-end login willrefresh_tokensAndaccess_tokenSave to localStorage. when the user logs off, the state in vuex state will be destroyed and only retained.refresh_tokens. The front end will detect when the user logs in next time.refresh_tokensIf yes, initiaterefresh_tokensRequest, user name and password need not be verified. Even if there are safety concernsrefresh_tokensAlso want to verify the user name password is correct, so began to changeLoginController!

public function login(Request $request)
 bracket
 $credentials = $this->credentials($request);
 
 if ($this->guard('api')->attempt($credentials, $request->has('remember'))) {
 return $this->sendLoginResponse($request);
 bracket
 
 return \Response::json([
 'status' => "error",
 Message' = > "wrong user name or password"
 ], 401);
 bracket
 
 protected function sendLoginResponse(Request $request)
 bracket
 $this->clearLoginAttempts($request);
 
 return $this->authenticated($request);
 bracket
 
 protected function authenticated(Request $request)
 bracket
 return $this->authenticateClient($request);
 bracket
 
 protected function authenticateClient(Request $request)
 bracket
 $data = $request->all();
 if ($request->refresh_token) {
 $request->request->add([
 'grant_type' => $data['grant_type'],
 'client_id' => $data['client_id'],
 'client_secret' => $data['client_secret'],
 'refresh_token' => $data['refresh_token'],
 'scope' => ''
 ]);
 } else {
 $request->request->add([
 'grant_type' => $data['grant_type'],
 'client_id' => $data['client_id'],
 'client_secret' => $data['client_secret'],
 'username' => $data['staffid'],
 'password' => $data['password'],
 'scope' => ''
 ]);
 bracket
 
 $proxy = Request::create(
 'oauth/token',
 'POST'
 );
 
 $response = \Route::dispatch($proxy);
 $token = json_decode($response->getContent());
 $token->user = $request->user();
 
 return response()->json($token);
 bracket
 
 /**
 * Get the login username to be used by the controller.
 *
 * @return string
 */
 public function username()
 bracket
 return 'staffid';
 bracket