I want to validate my RESTful API using token authentication. Two key options provided are http://ift.tt/1GFm4Yr and Laravel's own inbuilt token authentication.
I'm unable to make jwt-auth work for me even if it looks the most promising, so I decide to check on Laravel's implementation.
It is pretty straightforward. Create an extra field api_token in users DB, generate a random string and store it against the users record IN PLAIN TEXT, then any request the user sends they should append the api_token, which you shall authenticate by checking its existence in the DB. Just that.
Isn't that like storing passwords in plain text because anyone who happens to have access to the DB is as good as authenticated? Isn't there an outright security risk there? Someone help me understand this one.
Also, how does one handle things like invalidating the token, giving the token an expiry period, and such?
from Newest questions tagged laravel-5 - Stack Overflow http://ift.tt/2l6CCRF
via IFTTT
Aucun commentaire:
Enregistrer un commentaire