Laravel Passport API 认证使用小结

Laravel Passport API 认证使用小结

八月 4, 2017 发布在  Laravel

看到Laravel-China 社区常有人问 Laravel Passport 用于密码验证方式来获取 Token 的问题，恰好我最近一个 API 项目使用 Laravel Dingo Api+Passport，也是使用 Oauth2 的'grant_type' => 'password'密码受权来作 Auth 验证，对于如何作登陆登出，以及多帐号系统的认证等经常使用场景作一下简单的使用小总结。

基本配置

基本安装配置主要参照官方文档,具体不详细说，列出关键代码段

config/auth.php

'guards' => [ 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], ], 'providers' => [ 'users' => [ 'driver' => 'eloquent', 'model' => \App\Models\User::class ], ], 

Providers/AuthServiceProvider.php

public function boot() { $this->registerPolicies(); //默认令牌发放的有效期是永久 //Passport::tokensExpireIn(Carbon::now()->addDays(2)); //Passport::refreshTokensExpireIn(Carbon::now()->addDays(4)); Passport::routes(function (RouteRegistrar $router) { //对于密码受权的方式只要这几个路由就能够了 config(['auth.guards.api.provider' => 'users']); $router->forAccessTokens(); }); } 

Middleware/AuthenticateApi.php 自定义中间件返回

<?php namespace App\Http\Middleware; use Closure; use Illuminate\Auth\Middleware\Authenticate; use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; class AuthenticateApi extends Authenticate { protected function authenticate(array $guards) { if ($this->auth->guard('api')->check()) { return $this->auth->shouldUse('api'); } throw new UnauthorizedHttpException('', 'Unauthenticated'); } } 

App/Http/Kernel.php

/** * The application's route middleware. * * These middleware may be assigned to groups or used individually. * * @var array */ protected $routeMiddleware = [ 'api-auth' => AuthenticateApi::class, ...... ]; } 

帐号验证字段不止邮箱

对于帐号验证不止是数据表中的 emial 字段，还多是用户名或者手机号字段只须要在 User 模型中添加findForPassport方法，示例代码以下:

App\Models\Users

class User extends Authenticatable implements Transformable { use TransformableTrait, HasApiTokens, SoftDeletes; public function findForPassport($login) { return $this->orWhere('email', $login)->orWhere('phone', $login)->first(); } } 

客户端获取 access_token 请求只传用户名和密码

对于密码受权的方式须要提交的参数以下:

$response = $http->post('http://your-app.com/oauth/token', [ 'form_params' => [ 'grant_type' => 'password', 'client_id' => 'client-id', 'client_secret' => 'client-secret', 'username' => 'taylor@laravel.com', 'password' => 'my-password', 'scope' => '', ], ]); 

可是客户端请求的时候不想把grant_type,client_id,client_secret,scope放到请求参数中或者暴露给客户端，只像 JWT 同样只发送username和password 怎么办？很简单咱们只要将不须要请求的放到配置文件中，而后客户端请求用户名密码之后咱们再向oauth/token发送请求带上相关的配置就能够了。

.env.php

OAUTH_GRANT_TYPE=password OAUTH_CLIENT_ID=1 OAUTH_CLIENT_SECRET=EvE4UPGc25TjXwv9Lmk432lpp7Uzb8G4fNJsyJ83 OAUTH_SCOPE=* 

config/passport.php 固然该配置你能够配置多个client

return [ 'grant_type' => env('OAUTH_GRANT_TYPE'), 'client_id' => env('OAUTH_CLIENT_ID'), 'client_secret' => env('OAUTH_CLIENT_SECRET'), 'scope' => env('OAUTH_SCOPE', '*'), ]; 

LoginController.php的示例代码以下，由于用了Dingo Api配置了api前缀，因此请求/api/oauth/token

/** * 获取登陆TOKEN * @param LoginRequest $request * @return \Illuminate\Http\JsonResponse */ public function token(LoginRequest $request) { $username = $request->get('username'); $user = User::orWhere('email', $username)->orWhere('phone', $username)->first(); if ($user && ($user->status == 0)) { throw new UnauthorizedHttpException('', '帐号已被禁用'); } $client = new Client(); try { $request = $client->request('POST', request()->root() . '/api/oauth/token', [ 'form_params' => config('passport') + $request->only(array_keys($request->rules())) ]); } catch (RequestException $e) { throw new UnauthorizedHttpException('', '帐号验证失败'); } if ($request->getStatusCode() == 401) { throw new UnauthorizedHttpException('', '帐号验证失败'); } return response()->json($request->getBody()->getContents()); } 

退出登陆并清除 Token

对于客户端退出后并清除记录在oauth_access_tokens表中的记录，示例代码以下:

/** * 退出登陆 */ public function logout() { if (\Auth::guard('api')->check()) { \Auth::guard('api')->user()->token()->delete(); } return response()->json(['message' => '登出成功', 'status_code' => 200, 'data' => null]); } 

根据用户 ID 认证用户

app('auth')->guard('api')->setUser(User::find($userId)); 

多用户表（多 Auth）认证

好比针对客户表和管理员表分别作 Auth 认证的状况，也列出关键代码段:

'guards' => [ 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], 'admin_api' => [ 'driver' => 'passport', 'provider' => 'admin_users', ], ], 'providers' => [ 'users' => [ 'driver' => 'eloquent', 'model' => \App\Models\User::class ], 'admin_users' => [ 'driver' => 'eloquent', 'model' => \App\Models\AdminUser::class ], ], 

新建一个PasspordAdminServiceProvider来实现咱们本身的PasswordGrant,别忘了添加到config/app.php的providers配置段中

AppProviders/PasspordAdminServiceProvider

<?php namespace App\Providers; use App\Foundation\Repository\AdminUserPassportRepository; use League\OAuth2\Server\Grant\PasswordGrant; use Laravel\Passport\PassportServiceProvider as BasePassportServiceProvider; use Laravel\Passport\Passport; class PasspordAdminServiceProvider extends BasePassportServiceProvider { /** * Create and configure a Password grant instance. * * @return PasswordGrant */ protected function makePasswordGrant() { $grant = new PasswordGrant( //主要是这里，咱们调用咱们本身UserRepository $this->app->make(AdminUserPassportRepository::class), $this->app->make(\Laravel\Passport\Bridge\RefreshTokenRepository::class) ); $grant->setRefreshTokenTTL(Passport::refreshTokensExpireIn()); return $grant; } } 

新建AdminUserPassportRepository，Password 的验证主要经过getUserEntityByUserCredentials,它读取配置的guards对应的provider来作认证，咱们重写该方法，经过传递一个参数来告诉它咱们要用哪一个guard来作客户端认证

<?php namespace App\Foundation\Repository; use App; use Illuminate\Http\Request; use League\OAuth2\Server\Entities\ClientEntityInterface; use Laravel\Passport\Bridge\UserRepository; use Laravel\Passport\Bridge\User; use RuntimeException; class AdminUserPassportRepository extends UserRepository { public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity) { $guard = App::make(Request::class)->get('guard') ?: 'api';//其实关键的就在这里，就是经过传递一个guard参数来告诉它咱们是使用api仍是admin_api provider来作认证 $provider = config("auth.guards.{$guard}.provider"); if (is_null($model = config("auth.providers.{$provider}.model"))) { throw new RuntimeException('Unable to determine user model from configuration.'); } if (method_exists($model, 'findForPassport')) { $user = (new $model)->findForPassport($username); } else { $user = (new $model)->where('email', $username)->first(); } if (!$user) { return; } elseif (method_exists($user, 'validateForPassportPasswordGrant')) { if (!$user->validateForPassportPasswordGrant($password)) { return; } } elseif (!$this->hasher->check($password, $user->password)) { return; } return new User($user->getAuthIdentifier()); } } 

登陆和单用户系统同样，只是在请求oauth/token的时候带上guard参数，示例代码以下:

Admin/Controllers/Auth/LoginController.php

<?php namespace Admin\Controllers\Auth; use Admin\Requests\Auth\LoginRequest; use App\Http\Controllers\Controller; use App\Models\User; use GuzzleHttp\Client; use GuzzleHttp\Exception\RequestException; use Illuminate\Foundation\Auth\AuthenticatesUsers; use Illuminate\Http\Request; use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; class LoginController extends Controller { /* |-------------------------------------------------------------------------- | Login Controller |-------------------------------------------------------------------------- | | This controller handles authenticating users for the application and | redirecting them to your home screen. The controller uses a trait | to conveniently provide its functionality to your applications. | */ use AuthenticatesUsers; /** * Create a new controller instance. * * @return void */ public function __construct() { $this->middleware('guest')->except('logout'); } /** * 获取登陆TOKEN * @param LoginRequest $request * @return \Illuminate\Http\JsonResponse */ public function token(LoginRequest $request) { $username = $request->get('username'); $user = User::orWhere('email', $username)->orWhere('phone', $username)->first(); if ($user && ($user->status == 0)) { throw new UnauthorizedHttpException('', '帐号已被禁用'); } $client = new Client(); try { $request = $client->request('POST', request()->root() . '/api/oauth/token', [ 'form_params' => config('passport') + $request->only(array_keys($request->rules())) + ['guard' => 'admin_api'] ]); } catch (RequestException $e) { throw new UnauthorizedHttpException('', '帐号验证失败'); } if ($request->getStatusCode() == 401) { throw new UnauthorizedHttpException('', '帐号验证失败'); } return response()->json($request->getBody()->getContents()); } /** * 退出登陆 */ public function logout() { if (\Auth::guard('admin_api')->check()) { \Auth::guard('admin_api')->user()->token()->delete(); } return response()->json(['message' => '登出成功', 'status_code' => 200, 'data' => null]); } } 

转载请注明：  转载自Ryan 是菜鸟 | LNMP 技术栈笔记