Dreamfork
Tokenization
Introduction
Tokenization is a feature provided by Dreamfork, enabling the generation of authentication tokens commonly used for backend API authentication.
How It Works
Upon successful login, a user is issued a token, which should then be sent to the application as Bearer Authentication. The request sent by user is authenticated based on this token.
API Token Authentication
Issuing API Tokens
Tokenization allows you to generate API tokens, also known as personal access tokens, which can be used to authenticate API requests to your application. When making requests using API tokens, ensure that the token is included in the Authorization header as a Bearer token.
To begin issuing tokens for users, your User model should utilize the Framework\Services\Auth\Token\Tokenable trait and Framework\Services\Auth\Traits\Authenticatable trait. The default User model provided by the framework already incorporates all the required traits for issuing and resolving tokens.
To issue a token, you can use the createToken method. This method returns a Framework\Services\Auth\Token\NewAccessToken instance. API tokens are hashed using SHA-256 before being stored in your database. However, you can access the plain-text value of the token using the plainTextToken property of the NewAccessToken instance. It's important to display this value to the user immediately after the token is created.
$token = Auth::user()->createToken('user');
return response()->json(['token' => $token->plainTextToken]);
The createToken method takes two arguments. The first argument is the token's name, allowing you to specify the type of person for whom the token is generated—such as user, moderator, or admin. The default value is user. As the second argument, you can specify when the token should expire. The default value is null, indicating that the token will remain active until explicitly revoked.
$token = Auth::user()->createToken('user', date('2023-12-31 00:00:00'));
return response()->json(['token' => $token->plainTextToken]);
You can access all of the user's tokens using the tokens relationship provided by the Tokenable trait:
foreach($request->user()->tokens() as $token) {
// ...
}
Protecting Routes
To protect routes and require authentication for all incoming requests, you should attach the guard to your protected routes within your routes/web.php and routes/api.php route files. This guard ensures that incoming requests are authenticated and contain a valid API token header.
Route::guard(function() {
Route::get('/user', [UserController::class, 'user']);
});
Revoking Tokens
Revoking tokens is done by deleting them from your database. To achieve this, you can either perform the action on the currently used token by the user or list all user tokens and delete them one by one in a loop.
// Revoke the token used for authenticating the current request...
$request->user()->currentAccessToken->delete();
// Revoke all tokens...
foreach($request->user()->tokens() as $token) {
$token->delete();
}