我正在使用laravel v5.8,VueJS和护照v7.4进行身份验证。下面是我的登录功能:
public function login(Request $request)
{
$validator = Validator::make($request->all(), [
'email' => 'required|string|email',
'password' => 'required|string',
]);
if ($validator->fails()) {
return response([
'status' => 0,
'message' => $validator->errors()->first()
]);
}
$credentials = request(['email', 'password']);
if (!Auth::attempt($credentials))
return response()->json([
'status' => 0,
'message' => 'Unauthorized'
], 401);
$user = $request->user();
$tokenResult = $user->createToken('authToken');
$token = $tokenResult->token;
$token->save();
$user_role = Auth::user()->user_type;
$user->assignRole($user_role);
return response()->json([
'status' => 1,
'access_token' => $tokenResult->accessToken,
'token_type' => 'Bearer',
'expires_at' => Carbon::parse(
$tokenResult->token->expires_at
)->toDateTimeString(),
]);
}
我的问题是我的令牌会在10秒后过期(这是出于测试目的)。因此,我使用VueJS中的以下功能来检查令牌是否过期的所有路径:
isValid(token) {
const payload = this.payload(token);
if (payload) {
const datetime = Math.floor(Date.now() / 1000);
return payload.exp >= datetime ? true : false;
}
return false;
}
所以这很好,但是我应该怎么做才能刷新令牌?我们可以制作一个中间件来单独处理吗?还是有办法检测用户是否正在积极使用该应用程序,例如在基于正常会话的身份验证中?
好像您是在重新发明轮子,我建议您向护照/ oauth / token发出请求,然后将其返回access_token并刷新令牌。同样为了摆脱构建身份验证控制层,我正在使用nuxtjs。
下面的示例需要guzzlehttp / guzzle软件包。
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Http\Resources\User;
use Illuminate\Http\Request;
use GuzzleHttp\Client;
class AuthController extends Controller
{
/**
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
public function user(Request $request)
{
return response()->json(['user' => new User($request->user())]);
}
/**
* @param Request $request
* @return \Illuminate\Http\JsonResponse|\Psr\Http\Message\StreamInterface
*/
public function login (Request $request)
{
$http = new Client;
try {
$response = $http->post(config('app.url') . '/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => '2',
'client_secret' => 'ugjAn1BD4Cs8gAP63RqixyCOD3Z1dUrrNiEgxQtN',
'username' => $request->get('email'),
'password' => $request->get('password')
]
]);
return $response->getBody();
} catch (\GuzzleHttp\Exception\BadResponseException $e) {
if (400 === $e->getCode()) {
return response()->json(['message' => 'Invalid request. Please enter username and password'], $e->getCode());
} else if (401 === $e->getCode()) {
return response()->json([message' => 'Your credentials are incorrect. Please try again.'], $e->getCode());
}
}
return response()->json(['message' => 'Something went wrong please try again later. ' . $e->getMessage()], $e->getCode());
}
/**
* @param Request $request
* @return \Illuminate\Http\JsonResponse
*/
function logout (Request $request)
{
$request->user()->tokens->each(function ($token, $key) {
$token->delete();
});
return response()->json(['message' => 'Logged out successfully'], 200);
}
}
我知道另一个主意:
生成登录,设置很长的过期时间。
并将令牌保存到redis,redis ttl拥有一个真正的到期时间。
非常请求需要检查是redis中的令牌,如果存在,则修改ttl,如果没有,则意味着令牌已过期,需要重新登录。