API认证 #

Laravel API认证方式
├── Sanctum
│   ├── API Token认证
│   └── SPA认证
├── Passport
│   └── OAuth2认证
└── Basic Auth
    └── HTTP基础认证

composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

// config/sanctum.php
return [
    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', '')),
    'guard' => ['web'],
    'expiration' => null,
    'middleware' => [
        'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class,
        'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class,
        'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
    ],
];

use Laravel\Sanctum\HasApiTokens;

class User extends Model
{
    use HasApiTokens;
}

// 控制器中
public function login(Request $request)
{
    $credentials = $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    if (!Auth::attempt($credentials)) {
        return response()->json([
            'message' => '邮箱或密码错误',
        ], 401);
    }

    $user = Auth::user();
    $token = $user->createToken('api-token')->plainTextToken;

    return response()->json([
        'user' => $user,
        'token' => $token,
    ]);
}

// 路由
Route::middleware('auth:sanctum')->group(function () {
    Route::get('/user', function (Request $request) {
        return $request->user();
    });
    
    Route::apiResource('posts', PostController::class);
});

// 创建带能力的Token
$token = $user->createToken('api-token', ['post:create', 'post:update'])->plainTextToken;

// 检查能力
if ($user->tokenCan('post:create')) {
    // 允许创建
}

// 中间件检查
Route::middleware(['auth:sanctum', 'abilities:post:create'])->group(function () {
    // ...
});

// 撤销当前Token
$request->user()->currentAccessToken()->delete();

// 撤销所有Token
$request->user()->tokens()->delete();

// 撤销指定Token
$request->user()->tokens()->where('id', $tokenId)->delete();

// config/sanctum.php
'expiration' => 525600, // 1年（分钟）

// 或在创建时设置
$token = $user->createToken('api-token', ['*'], now()->addDays(7));

composer require laravel/passport
php artisan migrate
php artisan passport:install

// app/Models/User.php
use Laravel\Passport\HasApiTokens;

class User extends Model
{
    use HasApiTokens;
}

// app/Providers/AuthServiceProvider.php
use Laravel\Passport\Passport;

public function boot()
{
    Passport::loadKeysFrom(storage_path());
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
    Passport::personalAccessTokensExpireIn(now()->addMonths(6));
}

// config/auth.php
'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

// 获取Token
$token = $user->createToken('MyApp')->accessToken;

// 或通过HTTP请求
Route::post('/oauth/token', function (Request $request) {
    $request->request->add([
        'grant_type' => 'password',
        'client_id' => config('services.passport.client_id'),
        'client_secret' => config('services.passport.client_secret'),
        'username' => $request->email,
        'password' => $request->password,
        'scope' => '',
    ]);
    
    $tokenRequest = Request::create('/oauth/token', 'POST');
    return app()->handle($tokenRequest);
});

Route::post('/oauth/token', function (Request $request) {
    $request->request->add([
        'grant_type' => 'client_credentials',
        'client_id' => $request->client_id,
        'client_secret' => $request->client_secret,
        'scope' => '',
    ]);
    
    $tokenRequest = Request::create('/oauth/token', 'POST');
    return app()->handle($tokenRequest);
});

Route::middleware('auth:api')->group(function () {
    Route::get('/user', function (Request $request) {
        return $request->user();
    });
});

// 定义作用域
Passport::tokensCan([
    'user-read' => '读取用户信息',
    'user-write' => '写入用户信息',
    'post-read' => '读取文章',
    'post-write' => '写入文章',
]);

// 默认作用域
Passport::setDefaultScope([
    'user-read',
    'post-read',
]);

// 检查作用域
if ($user->tokenCan('user-write')) {
    // 允许
}

// 中间件
Route::middleware(['auth:api', 'scope:user-read,user-write'])->group(function () {
    // ...
});

SANCTUM_STATEFUL_DOMAINS=localhost,127.0.0.1
SESSION_DOMAIN=localhost

// 获取CSRF Token
Route::get('/sanctum/csrf-cookie', function () {
    return response()->noContent();
});

// 获取CSRF Cookie
await axios.get('/sanctum/csrf-cookie');

// 登录
await axios.post('/login', {
    email: 'user@example.com',
    password: 'password',
});

// 获取用户信息
const response = await axios.get('/api/user');

public function login(Request $request)
{
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
        'device_name' => 'required',
    ]);

    $user = User::where('email', $request->email)->first();

    if (!$user || !Hash::check($request->password, $user->password)) {
        return response()->json([
            'message' => '认证失败',
        ], 401);
    }

    return response()->json([
        'token' => $user->createToken($request->device_name)->plainTextToken,
    ]);
}

curl -H "Authorization: Bearer {token}" \
     -H "Accept: application/json" \
     http://example.com/api/user

class EnsureTokenIsValid
{
    public function handle($request, Closure $next)
    {
        if (!$request->bearerToken()) {
            return response()->json([
                'message' => '未提供认证Token',
            ], 401);
        }

        return $next($request);
    }
}

// bootstrap/app.php
->withMiddleware(function (Middleware $middleware) {
    $middleware->alias([
        'token.valid' => \App\Http\Middleware\EnsureTokenIsValid::class,
    ]);
})

// 安全存储Token
// 数据库加密
Schema::table('personal_access_tokens', function (Blueprint $table) {
    $table->text('token')->change(); // 加密存储
});

// 定期刷新Token
$user->tokens()->where('created_at', '<', now()->subDays(30))->delete();

// 限制用户Token数量
if ($user->tokens()->count() >= 5) {
    // 删除最旧的Token
    $user->tokens()->oldest()->first()->delete();
}