|
| 1 | +# Laravel JWT |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | +This package provides out-of-the-box API authentication using JWT for Laravel. |
| 6 | + |
| 7 | +## Installation. |
| 8 | + |
| 9 | +You can install this package by running: |
| 10 | + |
| 11 | +```bash |
| 12 | +composer require kino/laravel-jwt |
| 13 | +``` |
| 14 | + |
| 15 | +## Setup. |
| 16 | + |
| 17 | +In order to setup this package into your application, minimal configuration |
| 18 | +is actually needed. |
| 19 | + |
| 20 | +#### 1) Service Provider. |
| 21 | + |
| 22 | +Register this package's Service Provider by adding it to the `providers` |
| 23 | +section of your `config/app.php` file: |
| 24 | + |
| 25 | +```php |
| 26 | + 'providers' => [ |
| 27 | + |
| 28 | + // ... other providers omitted |
| 29 | + |
| 30 | + Kino\Auth\JWT\ServiceProvider::class, |
| 31 | + |
| 32 | + ], |
| 33 | +``` |
| 34 | + |
| 35 | +#### 2) Configuration file. |
| 36 | + |
| 37 | +Publish the configuration file (`config/jwt.php`) by running the |
| 38 | +following command after registering the Service Provider. |
| 39 | + |
| 40 | +```bash |
| 41 | +php artisan vendor:publish --provider="Kino\Auth\JWT\ServiceProvider" |
| 42 | +``` |
| 43 | + |
| 44 | +#### 3) Generate a Secret. |
| 45 | + |
| 46 | +In order for this package to works, you will need a separate secret |
| 47 | +(do not use the application key). |
| 48 | + |
| 49 | +This package provides a command that can be used for generating a strong key. |
| 50 | + |
| 51 | +Get a new key by running: |
| 52 | + |
| 53 | +```bash |
| 54 | +php artisan jwt:generate |
| 55 | +``` |
| 56 | + |
| 57 | +Then, copy the generated key contents into your `.env` file. |
| 58 | + |
| 59 | +**NOTICE**: The key generation process will not automatically |
| 60 | +set it inside your `.env` file, do it manually. |
| 61 | + |
| 62 | +#### 4) Setup Guard |
| 63 | + |
| 64 | +In order to automatically authenticate your routes using `JWT` tokens, |
| 65 | +you need to change the guard driver to `jwt` |
| 66 | + |
| 67 | +Inside `config/auth.php` set the corresponding guard group you want to protect: |
| 68 | + |
| 69 | +If you have the default guard group named `api`, your `auth.php` |
| 70 | +should be like this: |
| 71 | + |
| 72 | +```php |
| 73 | + 'guards' => [ |
| 74 | + // ... other guards omitted. |
| 75 | + |
| 76 | + 'api' => [ |
| 77 | + 'driver' => 'jwt', // this is the line you need to change. |
| 78 | + 'provider' => 'users', |
| 79 | + ], |
| 80 | + ], |
| 81 | +``` |
| 82 | + |
| 83 | +That's it, we are all ready to use it. |
| 84 | + |
| 85 | + |
| 86 | + |
| 87 | +## Usage. |
| 88 | + |
| 89 | +This package aims to be dead simple to use. |
| 90 | + |
| 91 | +The following templates can be used to setup your existing |
| 92 | +authentication controllers and resources. |
| 93 | + |
| 94 | +**NOTICE**: Full working examples of use for this package |
| 95 | +will be added on this package when it reaches it's 1.0 version. |
| 96 | + |
| 97 | +### Protecting Routes. |
| 98 | + |
| 99 | +This package is fully integrated with Laravel Authentication. |
| 100 | + |
| 101 | +The default configuration (`config/jwt.php`) brings a sensitive value that |
| 102 | +is very useful when your application is not completely an API: **`'middleware_match`** |
| 103 | + |
| 104 | +By not completely an API, I mean, the JWT guard is not the default one. |
| 105 | + |
| 106 | +In those cases, in order to use the `auth` middleware, the config key |
| 107 | +**`middleware_match`** **MUST** be set to true. |
| 108 | + |
| 109 | +This configuration key allows non protected routes to work properly. |
| 110 | + |
| 111 | +Notice that this option will match middleware group names with guard names. |
| 112 | + |
| 113 | +> In this case, the 'api' middleware group will always use the `api` guard. |
| 114 | +> Also, the 'web' middleware group will always use the `web` guard. |
| 115 | +
|
| 116 | +If you do not use this value, you will need to use suffixes when referencing the |
| 117 | +`auth` middleware, like `auth:api`. |
| 118 | + |
| 119 | + |
| 120 | +### Issuing and Renewing Tokens. |
| 121 | + |
| 122 | +For issuing tokens, no special class is actually needed, |
| 123 | +you can just expect create a Guard current implementation from the IoC and work from there. |
| 124 | + |
| 125 | +Check out the examples. |
| 126 | + |
| 127 | + |
| 128 | +** On the following examples, all Guard instances are injected from `Illuminate\Contracts\Auth\Guard` ** |
| 129 | +** On the following examples, all Request instances are injected from `Illuminate\Http\Request` ** |
| 130 | + |
| 131 | +#### Token from User Instance. |
| 132 | + |
| 133 | +This method should be used when you just registered a user and any other |
| 134 | +special cases. |
| 135 | + |
| 136 | +```php |
| 137 | + |
| 138 | +public function tokenFromUser(Guard $auth) |
| 139 | +{ |
| 140 | + // generating a token from a given user. |
| 141 | + $user = SomeUserModel::find(12); |
| 142 | + |
| 143 | + // logs in the user |
| 144 | + $auth->login($user); |
| 145 | + |
| 146 | + // get and return a new token |
| 147 | + $token = $auth->issue(); |
| 148 | + |
| 149 | + return $token; |
| 150 | +} |
| 151 | + |
| 152 | +``` |
| 153 | + |
| 154 | +#### Token from User Credentials. |
| 155 | + |
| 156 | +This method should be used when you just registered a user and any other |
| 157 | +special cases. |
| 158 | + |
| 159 | +```php |
| 160 | + |
| 161 | +public function tokenFromCredentials(Guard $auth, Request $request) |
| 162 | +{ |
| 163 | + // get some credentials |
| 164 | + $credentials = $request->only(['email', 'password']); |
| 165 | + |
| 166 | + if ($auth->attempt($credentials)) { |
| 167 | + return $token = $auth->issue(); |
| 168 | + } |
| 169 | + |
| 170 | + return ['Invalid Credentials']; |
| 171 | +} |
| 172 | + |
| 173 | +``` |
| 174 | + |
| 175 | +#### Refreshing Tokens. |
| 176 | + |
| 177 | +Tokens can be refreshed in 2 different ways: Auto detect or manual. |
| 178 | + |
| 179 | +If you do not pass any argument into the refresh method, the Guard will |
| 180 | +look for either a **`Authorization`** header or a **`token`** field on the |
| 181 | +request's body. |
| 182 | + |
| 183 | +```php |
| 184 | + |
| 185 | +public function refreshToken(Guard $auth) |
| 186 | +{ |
| 187 | + // auto detecting token from request. |
| 188 | + $token = $auth->refresh(); |
| 189 | + |
| 190 | + // manually passing the token to be refreshed. |
| 191 | + $token = $auth->refresh($oldToken); |
| 192 | + |
| 193 | + return $token; |
| 194 | +} |
| 195 | +``` |
| 196 | + |
| 197 | +### Custom Claims. |
| 198 | + |
| 199 | +Of course, there are support for custom claims. |
| 200 | + |
| 201 | +You can set them in two ways. |
| 202 | + |
| 203 | +#### By explicitly passing them. |
| 204 | + |
| 205 | +```php |
| 206 | + |
| 207 | +$customClaims = [ |
| 208 | + 'custom1' => 'value1', |
| 209 | + 'custom2' => 'value2', |
| 210 | +]; |
| 211 | + |
| 212 | +// when issuing |
| 213 | +$auth->issue($customClaims); |
| 214 | + |
| 215 | +// when refreshing |
| 216 | +// custom claims are the second parameter as the first one is the |
| 217 | +// old token |
| 218 | +$auth->refresh(null, $customClaims); |
| 219 | + |
| 220 | +``` |
| 221 | + |
| 222 | +#### By Authenticatable method. |
| 223 | + |
| 224 | +If all your users will have the same custom claims, you can setup a default |
| 225 | +custom claims method on your User's model (or any other Authenticatable you're using): |
| 226 | + |
| 227 | +If the method `customJWTClaims()` is present on the model being issue the token against, |
| 228 | +this claims will be automatically included. |
| 229 | + |
| 230 | +```php |
| 231 | + |
| 232 | +class User extends Model implements Authenticatable |
| 233 | +{ |
| 234 | + public function customJWTClaims() |
| 235 | + { |
| 236 | + return [ |
| 237 | + 'email' => $this->email, |
| 238 | + 'name' => $this->name, |
| 239 | + ]; |
| 240 | + } |
| 241 | +} |
| 242 | + |
| 243 | + |
| 244 | + |
| 245 | + |
| 246 | +``` |
0 commit comments