0

Together with @spawnia and @lorado we are creating some examples for Laravel Lighthouse and we have some different opinions on sanctum role-based security practices.

Can you please review my following statement and tell me if I am wrong on what is the best way to move forward.

My idea:

Now for the tricky part, once I create a login mutation, I need to verify that the user has the corresponding role and generate a token ability based on that check, also when the app goes offline or enters PWA mode. I need to revoke any tokens with:

create
delete
update
I couldn't find in the docs any solutions to this problem, that is a real-world necessity.
I can only leave the show and index abilities active.
What I am thinking:

Create a custom arg resolver for the mutation somehow bring the middleware and generate a token based on roles

Bad idea: To store the role within the token.

Thanks for any insight into this.

itwolfpower
  • 306
  • 3
  • 11
  • From sanctum docs: "API tokens are hashed using SHA-256 hashing before being stored in your database" So no hahsing expcept argon 2 or bcrypt should be acceptable for database storage.Paseto looks like a winner because it allows for SPA and SSR auth in the same package. The problem is that there is no laravel package for it. – itwolfpower Jul 17 '20 at 10:25

1 Answers1

0

Aren't those tokens cryptographically signed in order to be tamper-proof?

spawnia
  • 879
  • 6
  • 13