Laravel Passport 通过访问令牌获取客户端 ID

发布于05月27日

I'm writing a tiny sms gateway to be consumed by a couple of projects,

I implemented laravel passport authentication (client credentials grant token)

然后我向api中间件组添加了CheckClientCredentials个:

protected $middlewareGroups = [
    'web' => [
       ...
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
        \Laravel\Passport\Http\Middleware\CheckClientCredentials::class
    ],
];

The logic is working fine, now in my controller I need to get client associated with a valid token.

routes.php

Route::post('/sms', function(Request $request) {
    // save the sms along with the client id and send it

    $client_id = ''; // get the client id somehow

    sendSms($request->text, $request->to, $client_id);
});

For obvious security reasons I can never send the client id with the consumer request e.g. $client_id = $request->client_id;.

推荐答案

So, no answers ...

我通过使用自己的API解决了这个问题，最后我想出了更简单的身份验证流程，客户端需要发送他们的id&；每个请求都是秘密的，然后我用发送的凭证使用自己的/oauth/token路由，灵感来自Esben Petersen blog post.

Once the access token is generated, I append it to the headers of Symfony\Request instance which is under processing.

My final output like this:

<?php

namespace App\Http\Middleware;

use Request;

use Closure;

class AddAccessTokenHeader
{
    /**
     * Octipus\ApiConsumer
     * @var ApiConsumer
     */
    private $apiConsumer;


    function __construct() {
        $this->apiConsumer  = app()->make('apiconsumer');
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $this->apiConsumer->post('/oauth/token', $request->input(), [
            'content-type' => 'application/json'
        ]);


        if (!$response->isSuccessful()) {
            return response($response->getContent(), 401)
                    ->header('content-type', 'application/json');
        }

        $response = json_decode($response->getContent(), true);

        $request->headers->add([
            'Authorization'     => 'Bearer ' . $response['access_token'],
            'X-Requested-With'  => 'XMLHttpRequest'
        ]);

        return $next($request);

    }
}

我将上述中间件与Passport的CheckClientCredentials结合使用.

protected $middlewareGroups = [
    'web' => [
        ...
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
        \App\Http\Middleware\AddAccessTokenHeader::class,
        \Laravel\Passport\Http\Middleware\CheckClientCredentials::class
    ],
];

This way, I was able to insure that $request->input('client_id') is reliable and can't be faked.

Laravel Passport 通过访问令牌获取客户端 ID

推荐答案

Laravel相关问答推荐

Inertia React中的错误文件上传更新

为什么Laravel在API请求时返回BadMethodCallException？

Dompdf 古吉拉特语和印地语文本未正确显示

按回车键时如何防止此功能运行？

(1/1) ErrorException ReflectionFunction：：__construct() ex

如何将用户对象绑定到中间件中的请求

集成测试模拟外观与注入模拟

Mockery 和 Laravel 构造函数注入

如何在 Laravel 中显示渲染时间/页面加载时间？

用 laravel 表单确认删除？

为什么我的 Laravel 队列作业(job)在 60 秒后失败？

使用限制排队 Guzzle 请求

如何在 Laravel 5.2 中手动发送密码重置请求？

如何使用外部图像生成 html div 的 screenshot截图？

laravel 4：更新行时如何从列的当前值中减一？

扩展 Eloquent 的类的构造函数

如何从 Laravel 中的资源中获取图像？

Laravel 存储链接不适用于生产

Laravel 5 - 判断日期是否是今天

Lumen/Laravel 6：调用未定义的函数 array_except()