laravel-nuxt icon indicating copy to clipboard operation
laravel-nuxt copied to clipboard
verified publisher icon k2so-dev

Auth safety

Open EnelKyss opened this issue 7 months ago • 7 comments

Hey, I think using token based auth isnt the best practice for frontend. The safer option here is session based auth. Would be great if you could add a possibility to chose between those two... Token based auth is more for server to server communications

EnelKyss avatar Apr 25 '25 15:04 EnelKyss

Hi. This is a very reasonable idea. The ability to select authorization during installation would really make the project more versatile. I agree that in some scenarios, session-based authorization is safer than token-based.

At the moment, the choice in favor of Token-Based is due to the simplicity and speed of working with the API. For simple sites, this is a completely safe option, since the token is installed manually in the header via JS, which eliminates the possibility of CSRF attacks via <form> or <img>, and does not require additional protection via CSRF-TOKEN.

k2so-dev avatar Apr 26 '25 08:04 k2so-dev

Yeah of course CSRF is aight, but it is vulnerable to XSS.

EnelKyss avatar Apr 26 '25 10:04 EnelKyss

OK, I’ll add this functionality in the next couple of weeks.

k2so-dev avatar Apr 26 '25 11:04 k2so-dev

Is there any reason not to use https://nuxt.com/modules/nuxt-auth-sanctum?

mubaidr avatar May 06 '25 17:05 mubaidr

@mubaidr The module you suggested is very good for SPA mode, maybe I would integrate it in the future. But for now the reason is local proxying of api requests to laravel, which are needed in ssr mode. Unfortunately, this module only supports external api url, as a result of which at the moment there are problems with the reliability of determining the client's IP address.

k2so-dev avatar May 07 '25 09:05 k2so-dev

I am actually struggling making it session based auth, could you suggest what to change or where might be the issue? All post requests are invalid eventhough i am sending there the xsrf and cookies...

EnelKyss avatar May 11 '25 16:05 EnelKyss

There are a few things you can do:

  1. In the .env file, change AUTH_GUARD to web
  2. Move the routes from routes/api.php to routes/web.php.
  3. In the bootstrap/app.php file, add to the parameter in the withRouting function:
web: __DIR__.'/../routes/web.php',
  1. In the database, in the roles table, change the values ​​of the guard_name field to web.

k2so-dev avatar May 11 '25 16:05 k2so-dev

the issue now is that when trying to load users data using its session/cookies in ssr, it wont proceed. like the session was missing or something I have no idea. but if I do the same request from on client side, it works... How to fix this? ** edit I want to be able to fetch users data / maybe some other data as well during ssr as the response time in ssr is much faster than on client side

EnelKyss avatar May 18 '25 14:05 EnelKyss