huangliuyu00 2019-06-21
看到Laravel-China社区常有人问Laravel Passport用于密码验证方式来获取Token的问题,刚好我最近一个API项目使用Laravel Dingo Api
+Passport
,也是使用Oauth2 的'grant_type' => 'password'
密码授权来做Auth验证,对于如何做登录登出,以及多账号系统的认证等常用场景做一下简单的使用小总结。
基本安装配置主要参照官方文档,具体不详细说,列出关键代码段
config/auth.php
'guards' => [ 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], ], 'providers' => [ 'users' => [ 'driver' => 'eloquent', 'model' => \App\Models\User::class ], ],
Providers/AuthServiceProvider.php
public function boot() { $this->registerPolicies(); //默认令牌发放的有效期是永久 //Passport::tokensExpireIn(Carbon::now()->addDays(2)); //Passport::refreshTokensExpireIn(Carbon::now()->addDays(4)); Passport::routes(function (RouteRegistrar $router) { //对于密码授权的方式只要这几个路由就可以了 config(['auth.guards.api.provider' => 'users']); $router->forAccessTokens(); }); }
Middleware/AuthenticateApi.php 自定义中间件返回
<?php namespace App\Http\Middleware; use Closure; use Illuminate\Auth\Middleware\Authenticate; use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; class AuthenticateApi extends Authenticate { protected function authenticate(array $guards) { if ($this->auth->guard('api')->check()) { return $this->auth->shouldUse('api'); } throw new UnauthorizedHttpException('', 'Unauthenticated'); } }
App/Http/Kernel.php
/** * The application's route middleware. * * These middleware may be assigned to groups or used individually. * * @var array */ protected $routeMiddleware = [ 'api-auth' => AuthenticateApi::class, ...... ]; }
对于账号验证不止是数据表中的emial字段,还可能是用户名或者手机号字段只需要在User模型中添加findForPassport
方法,示例代码如下:
AppModelsUsers
class User extends Authenticatable implements Transformable { use TransformableTrait, HasApiTokens, SoftDeletes; public function findForPassport($login) { return $this->orWhere('email', $login)->orWhere('phone', $login)->first(); } }
对于密码授权的方式需要提交的参数如下:
$response = $http->post('http://your-app.com/oauth/token', [ 'form_params' => [ 'grant_type' => 'password', 'client_id' => 'client-id', 'client_secret' => 'client-secret', 'username' => '[email protected]', 'password' => 'my-password', 'scope' => '', ], ]);
但是客户端请求的时候不想把grant_type
,client_id
,client_secret
,scope
放到请求参数中或者暴露给客户端,只像JWT一样只发送username
和password
怎么办?很简单我们只要将不需要请求的放到配置文件中,然后客户端请求用户名密码以后我们再向oauth/token
发送请求带上相关的配置就可以了。
.env.php
OAUTH_GRANT_TYPE=password OAUTH_CLIENT_ID=1 OAUTH_CLIENT_SECRET=EvE4UPGc25TjXwv9Lmk432lpp7Uzb8G4fNJsyJ83 OAUTH_SCOPE=*
config/passport.php 当然该配置你可以配置多个client
return [ 'grant_type' => env('OAUTH_GRANT_TYPE'), 'client_id' => env('OAUTH_CLIENT_ID'), 'client_secret' => env('OAUTH_CLIENT_SECRET'), 'scope' => env('OAUTH_SCOPE', '*'), ];
LoginController.php的示例代码如下,因为用了Dingo Api
配置了api
前缀,所以请求/api/oauth/token
/** * 获取登录TOKEN * @param LoginRequest $request * @return \Illuminate\Http\JsonResponse */ public function token(LoginRequest $request) { $username = $request->get('username'); $user = User::orWhere('email', $username)->orWhere('phone', $username)->first(); if ($user && ($user->status == 0)) { throw new UnauthorizedHttpException('', '账号已被禁用'); } $client = new Client(); try { $request = $client->request('POST', request()->root() . '/api/oauth/token', [ 'form_params' => config('passport') + $request->only(array_keys($request->rules())) ]); } catch (RequestException $e) { throw new UnauthorizedHttpException('', '账号验证失败'); } if ($request->getStatusCode() == 401) { throw new UnauthorizedHttpException('', '账号验证失败'); } return response()->json($request->getBody()->getContents()); }
对于客户端退出后并清除记录在oauth_access_tokens
表中的记录,示例代码如下:
/** * 退出登录 */ public function logout() { if (\Auth::guard('api')->check()) { \Auth::guard('api')->user()->token()->delete(); } return response()->json(['message' => '登出成功', 'status_code' => 200, 'data' => null]); }
app('auth')->guard('api')->setUser(User::find($userId));
比如针对客户表和管理员表分别做Auth认证的情况,也列出关键代码段:
'guards' => [ 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], 'admin_api' => [ 'driver' => 'passport', 'provider' => 'admin_users', ], ], 'providers' => [ 'users' => [ 'driver' => 'eloquent', 'model' => \App\Models\User::class ], 'admin_users' => [ 'driver' => 'eloquent', 'model' => \App\Models\AdminUser::class ], ],
新建一个PasspordAdminServiceProvider来实现我们自己的PasswordGrant
,别忘了添加到config/app.php
的providers
配置段中
AppProviders/PasspordAdminServiceProvider
<?php namespace App\Providers; use App\Foundation\Repository\AdminUserPassportRepository; use League\OAuth2\Server\Grant\PasswordGrant; use Laravel\Passport\PassportServiceProvider as BasePassportServiceProvider; use Laravel\Passport\Passport; class PasspordAdminServiceProvider extends BasePassportServiceProvider { /** * Create and configure a Password grant instance. * * @return PasswordGrant */ protected function makePasswordGrant() { $grant = new PasswordGrant( //主要是这里,我们调用我们自己UserRepository $this->app->make(AdminUserPassportRepository::class), $this->app->make(\Laravel\Passport\Bridge\RefreshTokenRepository::class) ); $grant->setRefreshTokenTTL(Passport::refreshTokensExpireIn()); return $grant; } }
新建AdminUserPassportRepository,Password的验证主要通过getUserEntityByUserCredentials
,它读取配置的guards
对应的provider
来做认证,我们重写该方法,通过传递一个参数来告诉它我们要用哪个guard
来做客户端认证
<?php namespace App\Foundation\Repository; use App; use Illuminate\Http\Request; use League\OAuth2\Server\Entities\ClientEntityInterface; use Laravel\Passport\Bridge\UserRepository; use Laravel\Passport\Bridge\User; use RuntimeException; class AdminUserPassportRepository extends UserRepository { public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity) { $guard = App::make(Request::class)->get('guard') ?: 'api';//其实关键的就在这里,就是通过传递一个guard参数来告诉它我们是使用api还是admin_api provider来做认证 $provider = config("auth.guards.{$guard}.provider"); if (is_null($model = config("auth.providers.{$provider}.model"))) { throw new RuntimeException('Unable to determine user model from configuration.'); } if (method_exists($model, 'findForPassport')) { $user = (new $model)->findForPassport($username); } else { $user = (new $model)->where('email', $username)->first(); } if (!$user) { return; } elseif (method_exists($user, 'validateForPassportPasswordGrant')) { if (!$user->validateForPassportPasswordGrant($password)) { return; } } elseif (!$this->hasher->check($password, $user->password)) { return; } return new User($user->getAuthIdentifier()); } }
登录和单用户系统一样,只是在请求oauth/token
的时候带上guard
参数,示例代码如下:
Admin/Controllers/Auth/LoginController.php
<?php namespace Admin\Controllers\Auth; use Admin\Requests\Auth\LoginRequest; use App\Http\Controllers\Controller; use App\Models\AdminUser; use GuzzleHttp\Client; use GuzzleHttp\Exception\RequestException; use Illuminate\Foundation\Auth\AuthenticatesUsers; use Illuminate\Http\Request; use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; class LoginController extends Controller { /* |-------------------------------------------------------------------------- | Login Controller |-------------------------------------------------------------------------- | | This controller handles authenticating users for the application and | redirecting them to your home screen. The controller uses a trait | to conveniently provide its functionality to your applications. | */ use AuthenticatesUsers; /** * Create a new controller instance. * * @return void */ public function __construct() { $this->middleware('guest')->except('logout'); } /** * 获取登录TOKEN * @param LoginRequest $request * @return \Illuminate\Http\JsonResponse */ public function token(LoginRequest $request) { $username = $request->get('username'); $user = AdminUser::orWhere('email', $username)->orWhere('phone', $username)->first(); if ($user && ($user->status == 0)) { throw new UnauthorizedHttpException('', '账号已被禁用'); } $client = new Client(); try { $request = $client->request('POST', request()->root() . '/api/oauth/token', [ 'form_params' => config('passport') + $request->only(array_keys($request->rules())) + ['guard' => 'admin_api'] ]); } catch (RequestException $e) { throw new UnauthorizedHttpException('', '账号验证失败'); } if ($request->getStatusCode() == 401) { throw new UnauthorizedHttpException('', '账号验证失败'); } return response()->json($request->getBody()->getContents()); } /** * 退出登录 */ public function logout() { if (\Auth::guard('admin_api')->check()) { \Auth::guard('admin_api')->user()->token()->delete(); } return response()->json(['message' => '登出成功', 'status_code' => 200, 'data' => null]); } }
转载请注明: 转载自Ryan是菜鸟 | LNMP技术栈笔记
如果觉得本篇文章对您十分有益,何不 打赏一下
本文链接地址: Laravel Passport API 认证使用小结