1

I have created an API which uses JWT to authorise users, and this works great of course.

Some parts of my API need to be accessed without the user logging in. I would call them an anonymous user or public access to the API.

However, there must be some token based authentication, otherwise a malicious user could simply access my api and build their own front-end. I don't want that.

How can I use JWT to authorise a token against something other that the user model AS WELL AS the having user authentication?

And how would I send said token, given that there would be no form submission for these public pages?

Here is an example of my existing JWT auth script, for reference, as i said, I don't want to change this, I want to add some functionality to authenticate my index page, instead of auth'ing a user.

AuthenticateController.php : 

    ...

        public function authenticate(Request $request)
{
    $credentials = $request->only('email', 'password');

    try {
        // verify the credentials and create a token for the user
        if (! $token = JWTAuth::attempt($credentials)) {
            return response()->json(['error' => 'invalid_credentials'], 401);
        }
    } catch (JWTException $e) {
        // something went wrong
        return response()->json(['error' => 'could_not_create_token'], 500);
    }

    // if no errors are encountered we can return a JWT
    return response()->json(compact('token'));
}
    ...

jwt.php (using only user model) 

        |--------------------------------------------------------------------------
| User Model namespace
|--------------------------------------------------------------------------
|
| Specify the full namespace to your User model.
| e.g. 'Acme\Entities\User'
|
*/

'user' => 'App\User',

/*
|--------------------------------------------------------------------------
| User identifier
|--------------------------------------------------------------------------
|
| Specify a unique property of the user that will be added as the 'sub'
| claim of the token payload.
|
*/

'identifier' => 'user_id',

Any advice of ideas would be appreciated. I'm sorry I haven't got further with this but I'm not sure even on a conceptual level how this would be done! This is my first attempt at an API based app. Thanks.

EDIT: After a bit googling, it seems I want to use JWT to generate and send an API key... but how?

Leon
  • 1,851
  • 3
  • 21
  • 44
  • Couldn't you just create an account that could be used by everyone? i.e. use that account as a public way to access the api? – Daniel Nov 26 '15 at 21:34
  • I could - as for the second part of the question, how would the page automatically "log in", and what happens is they get logged out somehow? – Leon Nov 26 '15 at 21:56
  • Well you stated that you only needed certain parts of your API to be open - automatically use these details to get the requests from the API or am I missing something? – Daniel Nov 26 '15 at 21:58
  • How does Twitter do it!? You can view pages (via the API) and you can log in as a user and view more pages. There must be some authentication just to view a public page on your Twitter app, right? – Leon Nov 26 '15 at 21:58
  • I think I'm missing something! Thats why I asked the question. How does one automatically submit a form each time the page is loaded? Is this the correct way to access a public API? – Leon Nov 26 '15 at 21:59
  • I suppose Twitter doesn't require authentication for some parts of their API. Add a noAuth flag or something then just allow them access rather than verifying? That won't allow you to generate a token though, which is what you want. – Daniel Nov 26 '15 at 22:21

0 Answers0