Basic auth is only secure over HTTPS, same as OAuth 2. Passing the username and password as Basic Auth every time (since RESTful APIs should be stateless, therefore creating a session isn't the way to go) is a fair approach, but it means likely having to store the user's username and password, not ideal. A similar approach is to exchange the username and password for a generated API key which acts like a session, and provide that key as a header (like X-API-Key) for every request (fulfilling the stateless requirement) -- or another common way is providing it as the username for Basic auth, and accessing it using Request::getUser()
.
It's not inherently flawed, just be careful to use HTTPS for production and store the username/password safely on the client, or better yet use short-lived API keys.
Implementing an OAuth 2 server is going to be better, but also more complex.
So the best way to go is with an OAuth 2 server?
In here you have an implemetation for laravel, but you will need use HTTPS
This library for Laravel 4 uses API key authentication on your controllers:
https://github.com/chrisbjr/api-guard
You would typically put your API key as part of your header - preferably the "Authorization" header so it would be encrypted when using HTTPS/SSL.
A better method of authenticating token in Laravel REST API is by using Laravel Passport (https://www.cloudways.com/blog/rest-api-laravel-passport-authentication/ ). It is a package that makes the authentication much easier and quicker. Passport provides a full OAuth2 server implementation for Laravel applications.
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community