Basic auth is only secure over HTTPS, same as OAuth 2. Passing the username and password as Basic Auth every time (since RESTful APIs should be stateless, therefore creating a session isn't the way to go) is a fair approach, but it means likely having to store the user's username and password, not ideal. A similar approach is to exchange the username and password for a generated API key which acts like a session, and provide that key as a header (like X-API-Key) for every request (fulfilling the stateless requirement) -- or another common way is providing it as the username for Basic auth, and accessing it using
It's not inherently flawed, just be careful to use HTTPS for production and store the username/password safely on the client, or better yet use short-lived API keys.
Implementing an OAuth 2 server is going to be better, but also more complex.
So the best way to go is with an OAuth 2 server?
In here you have an implemetation for laravel, but you will need use HTTPS
This library for Laravel 4 uses API key authentication on your controllers:
You would typically put your API key as part of your header - preferably the "Authorization" header so it would be encrypted when using HTTPS/SSL.
A better method of authenticating token in Laravel REST API is by using Laravel Passport (https://www.cloudways.com/blog/rest-api-laravel-passport-authe... ). It is a package that makes the authentication much easier and quicker. Passport provides a full OAuth2 server implementation for Laravel applications.
Sign in to participate in this thread!
We'd like to thank these amazing companies for supporting us
The Laravel portal for problem solving, knowledge sharing and community building.